does anybody knows how to index files overwritten by crontab ?
On the server we have running several cronjobs. Each job creating a file. Everytime, when cronjob is running file will be overwritten.
*/1 * * * * cronjob_script.sh > output.txt 2>&1
How to setup splunkforwarder to read overwritten files ? Another question, how to disable this strange CRC mechanismus for splunkforwarder. I have more problems with this tool that help...
In the splunkforwarder logs I see all the time this:
INFO WatchedFile - Checksum for seekptr didn't match, will re-read entire file=
Inputs.conf file You can find here:
sourcetype = uptime
source = uptime
crcSalt = <SOURCE>
followTail = 0
index = products
disabled = 0
I tested almost everything. Splunk doesnt read it...
Would be perfect if somebody could support me.
Can you paste an example of the output of this file? What does the props.conf look like?
DATETIME_CONFIG = CURRENT