Archive

Splunk forwarder doesnt read recreated files

Explorer

Hi,

does anybody knows how to index files overwritten by crontab ?

On the server we have running several cronjobs. Each job creating a file. Everytime, when cronjob is running file will be overwritten.

*/1 * * * * cronjob_script.sh > output.txt 2>&1

How to setup splunkforwarder to read overwritten files ? Another question, how to disable this strange CRC mechanismus for splunkforwarder. I have more problems with this tool that help...

In the splunkforwarder logs I see all the time this:

INFO  WatchedFile - Checksum for seekptr didn't match, will re-read entire file=

Inputs.conf file You can find here:

sourcetype = uptime
source = uptime
crcSalt = <SOURCE>
followTail = 0
index = products
disabled = 0

I tested almost everything. Splunk doesnt read it...

Would be perfect if somebody could support me.

Cheers

Konrad

Tags (1)
0 Karma

Splunk Employee
Splunk Employee

Can you paste an example of the output of this file? What does the props.conf look like?

Maybe add:

props.conf

[uptime]
DATETIME_CONFIG = CURRENT
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!