i am getting this error , every time when i am indexing the .csv.gz file
updated less than 10000ms ago, will not read it until it stops changing.
has stopped changing , will read it now .
CHECKFORHEADER = true
INDEXEDEXTRACTIONS = csv
NOBINARYCHECK = true
SHOULD_LINEMERGE = false
disabled = false
REPORT-AutoHeader = AutoHeader-6
category = Structured
That's not an error, Splunk is informing you that it's not going to read the archive until it's confident that the archive has stopped changing.
So... when you run this over all time, you see nothing?
index=_internal group=per_source_thruput series=*csv.gz*
No , my env is , everyday new file will be added in that location to monitor , e.g. /tmp/sample1.csv.gz ... , sample2.csv.gz ....only first time it went through ... from day 2 always it's throwing the same info but no data in the indexer . My sample1.csv.gz has the first line in common like same fields everyday .. but from the second line it's different ... is it because of that ... u can find my props.conf and my inputs.conf in my first post .
crcSalt= <SOURCE> in your inputs.conf, also you may want to use batch instead of monitor with a move_policy = sinkhole so it will erase the previous file when indexed.
i have added the crcsalt file like below
but still i cant see todays sample1.csv.gz file
in log file i can find out
Handling file =/tmp/sample1.csv.gz
ArchivedProcessor - reading Path = /tmp/sample1.csv.gz ( seek=0 len=142048)
but not seeing the data in the splunk indexer.
its showing handling file , reading file but not seeign finished processing file . Kindly need your input .