https://community.splunk.com/t5/Getting-Data-In/Splunk-stopped-indexing-some-files/m-p/31921#M5607 <P>Hi,</P> <P>We are indexing a directory on one of our servers (/sonic/logs) and Splunk suddenly stopped indexing a few of the files. It appears to have stopped after the log file was rolled over one night. I checked the TailingProcessor status via the REST URL (<A href="https://ourserver:8090/services/admin/inputstatus/TailingProcessor%3AFileStatus">https://ourserver:8090/services/admin/inputstatus/TailingProcessor%3AFileStatus</A>) and for the files it stopped indexing it says 100% and "finished reading". However I know that there are still new entries being written to the file that aren't showing up in Splunk.</P> <P>What has caused Splunk to stop indexing these files and how can we get it to resume?</P> <P>We are running Splunk 4.2.2 on AIX.</P> <P>Thanks!</P> Thu, 08 Dec 2011 22:34:51 GMT jaydee77ca 2011-12-08T22:34:51Z https://community.splunk.com/t5/Getting-Data-In/Splunk-stopped-indexing-some-files/m-p/31921#M5607 <P>Hi,</P> <P>We are indexing a directory on one of our servers (/sonic/logs) and Splunk suddenly stopped indexing a few of the files. It appears to have stopped after the log file was rolled over one night. I checked the TailingProcessor status via the REST URL (<A href="https://ourserver:8090/services/admin/inputstatus/TailingProcessor%3AFileStatus">https://ourserver:8090/services/admin/inputstatus/TailingProcessor%3AFileStatus</A>) and for the files it stopped indexing it says 100% and "finished reading". However I know that there are still new entries being written to the file that aren't showing up in Splunk.</P> <P>What has caused Splunk to stop indexing these files and how can we get it to resume?</P> <P>We are running Splunk 4.2.2 on AIX.</P> <P>Thanks!</P> Thu, 08 Dec 2011 22:34:51 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-stopped-indexing-some-files/m-p/31921#M5607 jaydee77ca 2011-12-08T22:34:51Z https://community.splunk.com/t5/Getting-Data-In/Splunk-stopped-indexing-some-files/m-p/31922#M5608 <P>Do the newly rolled log files inherit any headers from their predecessors? If yes, then you might need <CODE>crcSalt=&lt;SOURCE&gt;</CODE> in your input stanza. Check here for more details: <A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/Howlogfilerotationishandled">http://docs.splunk.com/Documentation/Splunk/latest/Data/Howlogfilerotationishandled</A></P> <P>Also, I would check <CODE>$SPLUNK_HOME/var/log/splunk/splunkd.log</CODE> for additional information/clues.</P> <P>Hope this helps.</P> <P><CODE>&gt; please upvote and accept answer if you find it useful - thanks!</CODE></P> Fri, 09 Dec 2011 00:30:03 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-stopped-indexing-some-files/m-p/31922#M5608 _d_ 2011-12-09T00:30:03Z https://community.splunk.com/t5/Getting-Data-In/Splunk-stopped-indexing-some-files/m-p/31923#M5609 <P>Yeah, they will likely all have the same first line as it is usually:</P> <P>[11/12/06 00:00:01] ID=AGENT (info) Log file rollover initiated...</P> <P>Of course the timestamp is different.</P> <P>The thing is, it's been indexing these files for months and we've never had any issues. Now all of a sudden it stopped. And actually it looks like it hasn't stopped completely as yesterday and the day before it indexed a half-dozen or so lines from the file but that's it. (Usually there are hundreds of lines or more)</P> <P>I've tried restarting splunk on the server and that didn't seem to affect anything.</P> Fri, 09 Dec 2011 22:52:23 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-stopped-indexing-some-files/m-p/31923#M5609 jaydee77ca 2011-12-09T22:52:23Z https://community.splunk.com/t5/Getting-Data-In/Splunk-stopped-indexing-some-files/m-p/31924#M5610 <P>The documentation for crcSalt says that it shouldn't be used with rolling log files and these files are rolled so I'm not sure if that will help. <span class="lia-unicode-emoji" title=":confused_face:">😕</span></P> Fri, 09 Dec 2011 22:52:28 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-stopped-indexing-some-files/m-p/31924#M5610 jaydee77ca 2011-12-09T22:52:28Z