Splunk reading file but not indexing the data

morphis72 · ‎04-16-2019

I have migrated a docker environment off of an old legacy build to my new Splunk environment.

Some of my data after moving the apps over is not coming in and I can't figure out why.

My inputs.conf file contains this stanza:

[monitor:///var/lib/docker/volumes/.../_data/messages.log]
disabled = false
host_regex = \/var\/lib\/docker\/volumes\/(.*?)\/_data
sourcetype = liberty:messages:json
initCrcLength = 1048575
index = docker_nonprod_11485_7320

I enabled DEBUG and am finding where it appears to be reading the file but then never indexes it.

04-16-2019 20:05:17.817 -0400 DEBUG WatchedFile - seeking /var/lib/docker/volumes/10826-DMA-Int_ui.2.mo31ycyigljai7urzf767unv2/_data/messages.log to off=1202898
04-16-2019 20:05:17.817 -0400 DEBUG WatchedFile - Reached EOF: fname=/var/lib/docker/volumes/10826-DMA-Int_ui.2.mo31ycyigljai7urzf767unv2/_data/messages.log initcrclen=1048575 fishstate=key=0x960a54930e3e00d3 sptr=1202898 scrc=0x389469e89a3b1168 fnamecrc=0x2842e360000b2f69 modtime=1555441508
04-16-2019 20:05:17.817 -0400 DEBUG TailReader - Finished reading file='/var/lib/docker/volumes/10826-DMA-Int_ui.2.mo31ycyigljai7urzf767unv2/_data/messages.log' in tailreader0 thread, disposition=ACKNOWLEDGE_CHANGE, deferredBy=0.000
04-16-2019 20:05:17.817 -0400 DEBUG TailReader - Returning disposition=ACKNOWLEDGE_CHANGE for file=/var/lib/docker/volumes/10826-DMA-Int_ui.2.mo31ycyigljai7urzf767unv2/_data/messages.log

I have tried with crcSalt and with initCrcLength as well as without that setting all together.

Any ideas on what I should be trying here?

Splunk reading file but not indexing the data

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7