https://community.splunk.com/t5/Getting-Data-In/Why-have-monitored-inputs-stopped-working/m-p/603038#M104951 <P>Has anyone run into an issue where a Splunk HF, is not monioring files being written to it. This HF is also a syslog server so files are being written to it and the monirotied inputs are on the server. The file ingestion happens after a restart. Any pointers?</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 23 Jun 2022 21:20:22 GMT djreschke 2022-06-23T21:20:22Z https://community.splunk.com/t5/Getting-Data-In/Why-have-monitored-inputs-stopped-working/m-p/603038#M104951 <P>Has anyone run into an issue where a Splunk HF, is not monioring files being written to it. This HF is also a syslog server so files are being written to it and the monirotied inputs are on the server. The file ingestion happens after a restart. Any pointers?</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 23 Jun 2022 21:20:22 GMT https://community.splunk.com/t5/Getting-Data-In/Why-have-monitored-inputs-stopped-working/m-p/603038#M104951 djreschke 2022-06-23T21:20:22Z https://community.splunk.com/t5/Getting-Data-In/Why-have-monitored-inputs-stopped-working/m-p/603043#M104952 <P>If file ingestion happens after a restart then when does it stop?&nbsp; How many files are being monitored?&nbsp; Are ulimits set correctly?</P><P>Is the HF acting as the syslog server or is it just monitoring files written by a dedicated syslog server (like syslog-ng)?&nbsp; If the former, why?&nbsp; That's bad practice.&nbsp; If the latter, consider using a universal forwarder unless transforms are needed.</P> Thu, 23 Jun 2022 15:59:03 GMT https://community.splunk.com/t5/Getting-Data-In/Why-have-monitored-inputs-stopped-working/m-p/603043#M104952 richgalloway 2022-06-23T15:59:03Z https://community.splunk.com/t5/Getting-Data-In/Why-have-monitored-inputs-stopped-working/m-p/603045#M104953 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;The time it stops is unknown at this time, I get alerted when logs stop being collected on a daily basis. Its a syslog server so a lot of files, 20 - 40 files depending on activity. ulimit is set at 0.&nbsp;</P> Thu, 23 Jun 2022 16:26:20 GMT https://community.splunk.com/t5/Getting-Data-In/Why-have-monitored-inputs-stopped-working/m-p/603045#M104953 djreschke 2022-06-23T16:26:20Z https://community.splunk.com/t5/Getting-Data-In/Why-have-monitored-inputs-stopped-working/m-p/603438#M104994 <P>20-40 files is not a lot for Splunk to monitor.</P><P>I'm concerned about ulimit settings of zero.&nbsp; Splunk recommends higher values than that.&nbsp; See&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements#Considerations_regarding_system-wide_resource_limits_on_.2Anix_systems" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements#Considerations_regarding_system-wide_resource_limits_on_.2Anix_systems</A></P><P>A lower ulimit can have unknown effects on Splunk, possibly including not monitoring files.</P> Mon, 27 Jun 2022 19:25:41 GMT https://community.splunk.com/t5/Getting-Data-In/Why-have-monitored-inputs-stopped-working/m-p/603438#M104994 richgalloway 2022-06-27T19:25:41Z https://community.splunk.com/t5/Getting-Data-In/Why-have-monitored-inputs-stopped-working/m-p/603441#M104996 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;I agree, it is not a lot of files. Current ulimit settings</P><P>&nbsp;</P><P># ulimit -a<BR />core file size (blocks, -c) 0<BR />data seg size (kbytes, -d) unlimited<BR />scheduling priority (-e) 0<BR />file size (blocks, -f) unlimited<BR />pending signals (-i) 514862<BR />max locked memory (kbytes, -l) 64<BR />max memory size (kbytes, -m) unlimited<BR />open files (-n) 102400<BR />pipe size (512 bytes, -p) 8<BR />POSIX message queues (bytes, -q) 819200<BR />real-time priority (-r) 0<BR />stack size (kbytes, -s) 8192<BR />cpu time (seconds, -t) unlimited<BR />max user processes (-u) 514862<BR />virtual memory (kbytes, -v) unlimited<BR />file locks (-x) unlimited</P> Mon, 27 Jun 2022 19:41:13 GMT https://community.splunk.com/t5/Getting-Data-In/Why-have-monitored-inputs-stopped-working/m-p/603441#M104996 djreschke 2022-06-27T19:41:13Z https://community.splunk.com/t5/Getting-Data-In/Why-have-monitored-inputs-stopped-working/m-p/603445#M104997 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;limits.conf in the local folder&nbsp;</P><P>&nbsp;</P><P>limits.conf<BR />[thruput]<BR />maxKBps = 00</P> Mon, 27 Jun 2022 19:45:18 GMT https://community.splunk.com/t5/Getting-Data-In/Why-have-monitored-inputs-stopped-working/m-p/603445#M104997 djreschke 2022-06-27T19:45:18Z https://community.splunk.com/t5/Getting-Data-In/Why-have-monitored-inputs-stopped-working/m-p/603456#M104999 <P>Perhaps related but I have Universal Forwarders that are monitoring a small number of files being written by a dedicated syslog server, but today I noticed some monitored are being processed but others are not. No errors that I have found in the logs, Splunkd.log shows it was processing fine, then didn't show any tail reader entries for the missing files. This is on a Windows server which was patched this weekend and the monitored files are being written.</P> Mon, 27 Jun 2022 21:07:22 GMT https://community.splunk.com/t5/Getting-Data-In/Why-have-monitored-inputs-stopped-working/m-p/603456#M104999 sirpatrick 2022-06-27T21:07:22Z https://community.splunk.com/t5/Getting-Data-In/Why-have-monitored-inputs-stopped-working/m-p/603459#M105000 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/159258">@djreschke</a>&nbsp;</P><P>Do the first 256 bytes of the file happen to be the same on each file in the same input?&nbsp;</P><P>If so, take a look at the following from (<A href="https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/inputsconf" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/inputsconf</A><span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P><PRE>crcSalt = &lt;string&gt; * Use this setting to force the input to consume files that have matching CRCs, or cyclic redundancy checks. * By default, the input only performs CRC checks against the first 256 bytes of a file. This behavior prevents the input from indexing the same file twice, even though you might have renamed it, as with rolling log files, for example. Because the CRC is based on only the first few lines of the file, it is possible for legitimately different files to have matching CRCs, particularly if they have identical headers. * If set, &lt;string&gt; is added to the CRC. * If set to the literal string "&lt;SOURCE&gt;" (including the angle brackets), the full directory path to the source file is added to the CRC. This ensures that each file being monitored has a unique CRC. When 'crcSalt' is invoked, it is usually set to &lt;SOURCE&gt;. * Be cautious about using this setting with rolling log files; it could lead to the log file being re-indexed after it has rolled. * In many situations, 'initCrcLength' can be used to achieve the same goals. * Default: empty string</PRE><P>Thanks,&nbsp;</P><P>Jamie</P> Mon, 27 Jun 2022 21:15:11 GMT https://community.splunk.com/t5/Getting-Data-In/Why-have-monitored-inputs-stopped-working/m-p/603459#M105000 jamie00171 2022-06-27T21:15:11Z