<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Rolled over issue with same header in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Rolled-over-issue-with-same-header/m-p/126608#M26055</link>
    <description>&lt;P&gt;Here is the &lt;A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/Howlogfilerotationishandled"&gt;doc link&lt;/A&gt; that explains how Splunk handles log file rotation.&lt;/P&gt;

&lt;P&gt;On the other hand, you can also add &lt;CODE&gt;ignoreOlderThan =&lt;/CODE&gt; stanza in &lt;CODE&gt;inputs.conf&lt;/CODE&gt; file, with value mentioned as {number}{unit} (without brackets). For example, "7d" indicates one week. Valid units are "d" (days), "h" (hours), "m" (minutes), and "s" (seconds). &lt;/P&gt;

&lt;P&gt;Let us know what worked for you so others visiting this post can learn/re-use.&lt;/P&gt;

&lt;P&gt;Regards, Mitesh.&lt;/P&gt;</description>
    <pubDate>Mon, 25 May 2015 07:33:16 GMT</pubDate>
    <dc:creator>miteshvohra</dc:creator>
    <dc:date>2015-05-25T07:33:16Z</dc:date>
    <item>
      <title>Rolled over issue with same header</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Rolled-over-issue-with-same-header/m-p/126607#M26054</link>
      <description>&lt;P&gt;I have couple of files in a directory as below&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;Out.log&lt;BR /&gt;
Out_15.05.20_14.32.33.log&lt;BR /&gt;
Out_15.05.21_07.06.45.log&lt;BR /&gt;
Out_15.05.21_10.00.27.log&lt;/STRONG&gt;&lt;/P&gt;

&lt;P&gt;All of this files are having same header hence Splunk is ignoring all new files since rolled over files are having same header and same size.&lt;/P&gt;

&lt;P&gt;Now I am planning is to use *&lt;EM&gt;initCrcLength *&lt;/EM&gt; property and set it as 1000 Splunk will ignore the header part.&lt;/P&gt;

&lt;P&gt;One issue with this is that Splunk will re-index all the files.&lt;/P&gt;

&lt;P&gt;Can anyone please suggest how to ignore the older files??/&lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 20:04:21 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Rolled-over-issue-with-same-header/m-p/126607#M26054</guid>
      <dc:creator>jitsinha</dc:creator>
      <dc:date>2020-09-28T20:04:21Z</dc:date>
    </item>
    <item>
      <title>Re: Rolled over issue with same header</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Rolled-over-issue-with-same-header/m-p/126608#M26055</link>
      <description>&lt;P&gt;Here is the &lt;A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/Howlogfilerotationishandled"&gt;doc link&lt;/A&gt; that explains how Splunk handles log file rotation.&lt;/P&gt;

&lt;P&gt;On the other hand, you can also add &lt;CODE&gt;ignoreOlderThan =&lt;/CODE&gt; stanza in &lt;CODE&gt;inputs.conf&lt;/CODE&gt; file, with value mentioned as {number}{unit} (without brackets). For example, "7d" indicates one week. Valid units are "d" (days), "h" (hours), "m" (minutes), and "s" (seconds). &lt;/P&gt;

&lt;P&gt;Let us know what worked for you so others visiting this post can learn/re-use.&lt;/P&gt;

&lt;P&gt;Regards, Mitesh.&lt;/P&gt;</description>
      <pubDate>Mon, 25 May 2015 07:33:16 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Rolled-over-issue-with-same-header/m-p/126608#M26055</guid>
      <dc:creator>miteshvohra</dc:creator>
      <dc:date>2015-05-25T07:33:16Z</dc:date>
    </item>
    <item>
      <title>Re: Rolled over issue with same header</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Rolled-over-issue-with-same-header/m-p/126609#M26056</link>
      <description>&lt;P&gt;Thanks for your response. The system in place roll over files based on date/size, whichever is earlier.&lt;BR /&gt;
Hence &lt;STRONG&gt;ignoreOlderThan&lt;/STRONG&gt; will not work properly.&lt;/P&gt;

&lt;P&gt;Sorry I might not be clear earlier. &lt;/P&gt;

&lt;P&gt;The issues I am referring to is more related to header being same across all the files. &lt;/P&gt;

&lt;P&gt;So for an example say I got one file &lt;STRONG&gt;A.log&lt;/STRONG&gt; for today.&lt;/P&gt;

&lt;P&gt;In this situation if I start to monitor the directory containing the file, Splunk will only pick &lt;STRONG&gt;A.log&lt;/STRONG&gt; file and will index it.&lt;/P&gt;

&lt;P&gt;But tomorrow when a new file will be created,today's file will be renamed to &lt;STRONG&gt;A.20150525.log&lt;/STRONG&gt; but since the new file and old file are having same header the new file will be ignored and for that matter all the files for all the consecutive days.&lt;/P&gt;

&lt;P&gt;Now the indexing issue has been fixed by setting initCrcLength = 1000, but Splunk has reindexed all the older files again.&lt;/P&gt;

&lt;P&gt;How to stop this re-indexing??&lt;/P&gt;</description>
      <pubDate>Mon, 25 May 2015 09:08:31 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Rolled-over-issue-with-same-header/m-p/126609#M26056</guid>
      <dc:creator>jitsinha</dc:creator>
      <dc:date>2015-05-25T09:08:31Z</dc:date>
    </item>
  </channel>
</rss>

