https://community.splunk.com/t5/Getting-Data-In/How-to-properly-disable-a-WatchedFile-using-the-Universal/m-p/346567#M63641 <P>Do you install unix app?</P> <P>I get same information</P> <P>01-11-2018 16:36:05.204 +0800 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/etc/dfs/sharetab'. <BR /> 01-11-2018 16:36:06.266 +0800 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/etc/dfs/sharetab'. </P> <P>I found the app inputs.conf</P> <P>[monitor:///etc]<BR /> _whitelist=(.conf|.cfg|config$|.ini|.init|.cf|.cnf|shrc$|^ifcfg|.profile|.rc|.rules|.tab|tab$|.login|policy$)<BR /> <STRONG>blacklist = etc/dfs/</STRONG>*<BR /> index=os<BR /> disabled = 0</P> <P>The message won't be happened.</P> <P>It's useful for me. maybe you can try it.</P> Fri, 12 Jan 2018 02:56:48 GMT morgan03 2018-01-12T02:56:48Z https://community.splunk.com/t5/Getting-Data-In/How-to-properly-disable-a-WatchedFile-using-the-Universal/m-p/346566#M63640 <P>On Solaris 10/11 - Our $SPLUNK_HOME/var/log/splunk/splunkd.log file has many of the following messages, 1 per second every minute.</P> <P>08-02-2017 18:04:06.787 -0500 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/etc/dfs/sharetab'.</P> <P>I have tried various configs with the $SPLUNK_HOME/etc/system/local/inputs.conf [blacklist:///etc/dfs/] and [monitor://] with disable = true, but nothing works.<BR /> Thanks.</P> Wed, 02 Aug 2017 23:21:33 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-properly-disable-a-WatchedFile-using-the-Universal/m-p/346566#M63640 thabben 2017-08-02T23:21:33Z https://community.splunk.com/t5/Getting-Data-In/How-to-properly-disable-a-WatchedFile-using-the-Universal/m-p/346567#M63641 <P>Do you install unix app?</P> <P>I get same information</P> <P>01-11-2018 16:36:05.204 +0800 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/etc/dfs/sharetab'. <BR /> 01-11-2018 16:36:06.266 +0800 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/etc/dfs/sharetab'. </P> <P>I found the app inputs.conf</P> <P>[monitor:///etc]<BR /> _whitelist=(.conf|.cfg|config$|.ini|.init|.cf|.cnf|shrc$|^ifcfg|.profile|.rc|.rules|.tab|tab$|.login|policy$)<BR /> <STRONG>blacklist = etc/dfs/</STRONG>*<BR /> index=os<BR /> disabled = 0</P> <P>The message won't be happened.</P> <P>It's useful for me. maybe you can try it.</P> Fri, 12 Jan 2018 02:56:48 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-properly-disable-a-WatchedFile-using-the-Universal/m-p/346567#M63641 morgan03 2018-01-12T02:56:48Z https://community.splunk.com/t5/Getting-Data-In/How-to-properly-disable-a-WatchedFile-using-the-Universal/m-p/346568#M63642 <P>You can determine which <CODE>monitor</CODE> stanza is responsible for this by examining the output of:</P> <PRE><CODE>splunk list monitor </CODE></PRE> <P>After which you can work to tune your blacklist/whitelist to try to prevent it from being indexed.</P> Sat, 13 Jan 2018 05:55:13 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-properly-disable-a-WatchedFile-using-the-Universal/m-p/346568#M63642 micahkemp 2018-01-13T05:55:13Z