https://community.splunk.com/t5/Getting-Data-In/Filename-was-different-therefore-source-is-not-indexed-Why/m-p/12326#M889 <P>You can check the duplicated events along with their time of indexing with the below query:</P> <P>index=your index sourcetype=your sourcetype | eval dup=_raw | convert ctime(_time) as T1 | convert ctime(_indextime) as indextime | transaction dup mvlist=t maxspan=1s keepevicted=true | table dup,source,sourcetype,host,index,indextime</P> <P>Process to delete the duplicated events:</P> <OL> <LI>Run the following command to store all duplicate events in a lookup table.</LI> </OL> <P>index=* sourcetype=wsa_accesslogs | eval id=_cd."|".index."|".splunk_server | transaction _raw maxspan=1s keepevicted=true mvlist=t | search</P> <P>eventcount&gt;1<BR /> | eval delete_id=mvindex(id, 1, -1) | stats c by delete_id | outputlookup delete_these.csv</P> <OL> <LI>Once search finishes completely by running the following command you can view the events stored in lookup table | inputlookup delete_these.csv</LI> </OL> <P>Note: You need to wait till your search gets complete. You can use smart mode as well.<BR /> You can also check the newly created lookup table in the $Splunk_Home\etc\apps\app_name\lookups\ delete_these.csv</P> <OL> <LI>Run the following command to delete all events from source type which also exists into lookup table (in your case its delete_these.csv)</LI> </OL> <P>index=* sourcetype=wsa_accesslogs | eval delete_id=_cd."|".index."|".splunk_server | search [|inputlookup delete_these.csv | fields delete_id |</P> <P>format "(" "(" "OR" ")" "OR" ")"] | delete</P> <P>Happy Splunking</P> Tue, 29 Sep 2020 13:51:30 GMT puneethgowda 2020-09-29T13:51:30Z https://community.splunk.com/t5/Getting-Data-In/Filename-was-different-therefore-source-is-not-indexed-Why/m-p/12322#M885 <P>I'm monitoring a folder but I'm not seeing all the files getting indexed into Splunk.</P> <P>Then I did </P> <PRE>index=_internal sourcetype="splunkd" log_level="ERROR"</PRE> <P>and found several events indicating the reason files were not indexed. </P> <PRE> 04-26-2010 11:58:04.265 ERROR TailingProcessor - Ignoring path due to: File will not be read, is too small to match seekptr checksum (file=C:\Program Files\WebSphere\profiles\AppSrv01\config\cells\sfeserv36Node01Cell\PolicySets\WSReliableMessaging persistent\PolicyTypes\WSReliableMessaging\policy.xml). Last time we saw this initcrc, filename was different. You may wish to use a CRC salt on this source. Consult the documentation or contact Splunk Support for more info. </PRE> <P>I do not understand why Splunk is telling me that the filename was different.</P> <P>Help?</P> Tue, 27 Apr 2010 03:18:57 GMT https://community.splunk.com/t5/Getting-Data-In/Filename-was-different-therefore-source-is-not-indexed-Why/m-p/12322#M885 Nicholas_Key 2010-04-27T03:18:57Z https://community.splunk.com/t5/Getting-Data-In/Filename-was-different-therefore-source-is-not-indexed-Why/m-p/12323#M886 <P>Splunk performs a CRC check of the files it tries to index. The error you report implies that we had indexed a file with the same CRC value. Even if the file name is different, we will not index it unless you use the CRC salt parameter for the input. This prevents Splunk from reindexing the same log file, even though you may have renamed it. </P> <P>Sometimes, if you have a file that has the same few header lines, this will confuse Splunk as we don't perform the CRC against the whole file. In those cases, you should use the crcSalt parameter:</P> <PRE><CODE>crcSalt = &lt;SOURCE&gt; </CODE></PRE> <P>If set, this string is added to the CRC. Use this setting to force Splunk to consume files that have matching CRCs. If set to crcSalt = (note: This setting is case sensitive), then the full source path is added to the CRC.</P> <P>For reference:</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0/Data/Monitorfilesanddirectories" rel="nofollow">http://docs.splunk.com/Documentation/Splunk/5.0/Data/Monitorfilesanddirectories</A></P> Tue, 27 Apr 2010 03:26:17 GMT https://community.splunk.com/t5/Getting-Data-In/Filename-was-different-therefore-source-is-not-indexed-Why/m-p/12323#M886 Simeon 2010-04-27T03:26:17Z https://community.splunk.com/t5/Getting-Data-In/Filename-was-different-therefore-source-is-not-indexed-Why/m-p/12324#M887 <P>Thank you Simeon and Wolverine! It works now with crcSalt = <SOURCE></SOURCE></P> Tue, 27 Apr 2010 05:47:09 GMT https://community.splunk.com/t5/Getting-Data-In/Filename-was-different-therefore-source-is-not-indexed-Why/m-p/12324#M887 Nicholas_Key 2010-04-27T05:47:09Z https://community.splunk.com/t5/Getting-Data-In/Filename-was-different-therefore-source-is-not-indexed-Why/m-p/12325#M888 <P>Just to be completely clear about this setting.... Nicholas, you received this message on an XML config file which is where adding the <CODE>crcSalt</CODE> setting is helpful. But you should probably <EM>not</EM> add this to monitors that are indexing traditional log files. The danger of adding "<CODE>crcSalt = &lt;SOURCE&gt;</CODE>" everywhere is that it would re-index a log file after it is rotated, so you could end up with the same events loaded many many times.</P> Thu, 20 May 2010 21:21:31 GMT https://community.splunk.com/t5/Getting-Data-In/Filename-was-different-therefore-source-is-not-indexed-Why/m-p/12325#M888 Lowell 2010-05-20T21:21:31Z https://community.splunk.com/t5/Getting-Data-In/Filename-was-different-therefore-source-is-not-indexed-Why/m-p/12326#M889 <P>You can check the duplicated events along with their time of indexing with the below query:</P> <P>index=your index sourcetype=your sourcetype | eval dup=_raw | convert ctime(_time) as T1 | convert ctime(_indextime) as indextime | transaction dup mvlist=t maxspan=1s keepevicted=true | table dup,source,sourcetype,host,index,indextime</P> <P>Process to delete the duplicated events:</P> <OL> <LI>Run the following command to store all duplicate events in a lookup table.</LI> </OL> <P>index=* sourcetype=wsa_accesslogs | eval id=_cd."|".index."|".splunk_server | transaction _raw maxspan=1s keepevicted=true mvlist=t | search</P> <P>eventcount&gt;1<BR /> | eval delete_id=mvindex(id, 1, -1) | stats c by delete_id | outputlookup delete_these.csv</P> <OL> <LI>Once search finishes completely by running the following command you can view the events stored in lookup table | inputlookup delete_these.csv</LI> </OL> <P>Note: You need to wait till your search gets complete. You can use smart mode as well.<BR /> You can also check the newly created lookup table in the $Splunk_Home\etc\apps\app_name\lookups\ delete_these.csv</P> <OL> <LI>Run the following command to delete all events from source type which also exists into lookup table (in your case its delete_these.csv)</LI> </OL> <P>index=* sourcetype=wsa_accesslogs | eval delete_id=_cd."|".index."|".splunk_server | search [|inputlookup delete_these.csv | fields delete_id |</P> <P>format "(" "(" "OR" ")" "OR" ")"] | delete</P> <P>Happy Splunking</P> Tue, 29 Sep 2020 13:51:30 GMT https://community.splunk.com/t5/Getting-Data-In/Filename-was-different-therefore-source-is-not-indexed-Why/m-p/12326#M889 puneethgowda 2020-09-29T13:51:30Z https://community.splunk.com/t5/Getting-Data-In/Filename-was-different-therefore-source-is-not-indexed-Why/m-p/12327#M890 <P>Is there a way to delete the CRCs of the previous indexing activity? I deleted the index and the data input and basically tried to start over but my files won't index again.</P> Tue, 22 Aug 2017 23:49:14 GMT https://community.splunk.com/t5/Getting-Data-In/Filename-was-different-therefore-source-is-not-indexed-Why/m-p/12327#M890 _jgpm_ 2017-08-22T23:49:14Z https://community.splunk.com/t5/Getting-Data-In/Filename-was-different-therefore-source-is-not-indexed-Why/m-p/12328#M891 <P>You could either empty the fish bucket or add a random crcSalt in your inputs.conf.<BR /> Adding a salt will change the hash of the files and thus index them again.</P> <P>Skalli</P> Wed, 23 Aug 2017 07:00:50 GMT https://community.splunk.com/t5/Getting-Data-In/Filename-was-different-therefore-source-is-not-indexed-Why/m-p/12328#M891 skalliger 2017-08-23T07:00:50Z