I have a log file that gets rotated (foo.log becomes foo.log.1, foo.log.1 becomes foo.log.2, etc).
Every time the file gets rotated, the new foo.log gets a common header (which is more that 256 bytes long)
Splunk believes that this file has already been indexed (since the first 256 bytes are identical).
I can't add "crcSalt = " since the source filename is always the same.
Are there any other ways to get this file read every time it gets rotated?
I don't know of a good way around this problem. It comes up fairly often and is something Splunk should be able to fix, either to use a larger CRC, or to offset some amount before the CRC. Please file an Enhancement Request with Splunk to help us get this fixed.
I don't know of a good way around this problem. It comes up fairly often and is something Splunk should be able to fix, either to use a larger CRC, or to offset some amount before the CRC. Please file an Enhancement Request with Splunk to help us get this fixed.
