https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-from-monitoring-empty-files/m-p/188834#M37653 <P>Hello, sorry for the delay.</P> <H2>It is fantastic solution and I marked this as a solution. But unfortunately I can't to change the source files (even empty).</H2> <P>Best regards, Artem.</P> Wed, 15 Jul 2015 07:15:18 GMT apakhomov 2015-07-15T07:15:18Z https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-from-monitoring-empty-files/m-p/188832#M37651 <P>Hello,</P> <P>Monitor folders have many empty files. These files may be filled in the future. So I can't add them to a blacklist.<BR /> As result the log file splunkd.log has huge amount messages:</P> <PRE><CODE>INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='&lt;filename&gt;'. </CODE></PRE> <P>I don't want to reduce the log level.<BR /> Is it possible to exclude from monitoring empty files to reduce the message count in the log?</P> <P>--<BR /> Best regards, Artem.</P> Thu, 02 Jul 2015 08:58:05 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-from-monitoring-empty-files/m-p/188832#M37651 apakhomov 2015-07-02T08:58:05Z https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-from-monitoring-empty-files/m-p/188833#M37652 <P>You could dump some filler into each file:</P> <PRE><CODE>echo "FILLER: This is not real data but just filler text to suppress this log: INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='&lt;filename&gt;'." &gt; &lt;filename&gt;. </CODE></PRE> <P>Then configre <CODE>props.conf</CODE> and <CODE>transforms.conf</CODE> to send these events to <CODE>nullQueue</CODE>.</P> Thu, 02 Jul 2015 12:51:58 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-from-monitoring-empty-files/m-p/188833#M37652 woodcock 2015-07-02T12:51:58Z https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-from-monitoring-empty-files/m-p/188834#M37653 <P>Hello, sorry for the delay.</P> <H2>It is fantastic solution and I marked this as a solution. But unfortunately I can't to change the source files (even empty).</H2> <P>Best regards, Artem.</P> Wed, 15 Jul 2015 07:15:18 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-from-monitoring-empty-files/m-p/188834#M37653 apakhomov 2015-07-15T07:15:18Z https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-from-monitoring-empty-files/m-p/188835#M37654 <P>Whatever you do, DO NOT use <CODE>ignoreOlderThan</CODE> because once Splunk ignores a file via this control, it will never check it again.</P> Wed, 15 Jul 2015 14:41:39 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-from-monitoring-empty-files/m-p/188835#M37654 woodcock 2015-07-15T14:41:39Z https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-from-monitoring-empty-files/m-p/188836#M37655 <H2>ok, thank you for the useful information.</H2> <P>Best regards, Artem.</P> Wed, 15 Jul 2015 14:48:34 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-from-monitoring-empty-files/m-p/188836#M37655 apakhomov 2015-07-15T14:48:34Z https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-from-monitoring-empty-files/m-p/188837#M37656 <H2>Universal forwarder start to reindex files when I commented the ignoreOlderThan parameter. I saw it today. The bitter experience with another task.</H2> <P>Best regards, Artem.</P> Thu, 16 Jul 2015 05:55:13 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-from-monitoring-empty-files/m-p/188837#M37656 apakhomov 2015-07-16T05:55:13Z