Solved: rotating log files with large headers.

kkalmbach · ‎08-24-2011

I have a log file that gets rotated (foo.log becomes foo.log.1, foo.log.1 becomes foo.log.2, etc).
Every time the file gets rotated, the new foo.log gets a common header (which is more that 256 bytes long)

Splunk believes that this file has already been indexed (since the first 256 bytes are identical).
I can't add "crcSalt = " since the source filename is always the same.

Are there any other ways to get this file read every time it gets rotated?

Thanks
-Kevin

gkanapathy · ‎08-24-2011

I don't know of a good way around this problem. It comes up fairly often and is something Splunk should be able to fix, either to use a larger CRC, or to offset some amount before the CRC. Please file an Enhancement Request with Splunk to help us get this fixed.

View solution in original post

gkanapathy · ‎08-24-2011

I don't know of a good way around this problem. It comes up fairly often and is something Splunk should be able to fix, either to use a larger CRC, or to offset some amount before the CRC. Please file an Enhancement Request with Splunk to help us get this fixed.

rotating log files with large headers.

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

rotating log files with large headers.

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine