- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is a csv file I had added to a a directory which HF monitors.
That input is set as Batch input.
Because there was some issue with the data was getting formatted, I deleted the results from the search head using | delete command.
After that to re-ingest, I followed same procedue to reingest the csv file.
After the file is added to the directory, it gets deleted due to the move to sink hole policy.
However, when I do a search for the same log, nothing shows up.
Can someone please help why this is happening and how it can be fixed ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Adding the below setting in batch stanza within inputs.conf helped me re-ingest the same file
initCrcLength = 1028
FYI, the value cannot be less than 256 or more than 1048576.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Adding the below setting in batch stanza within inputs.conf helped me re-ingest the same file
initCrcLength = 1028
FYI, the value cannot be less than 256 or more than 1048576.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


Hi @dm1,
Good for you, see next time!
Ciao and Happy splunking.
Giuseppe
P.S.: Karma points are appreciated by all the Contributors 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


Hi @dm1,
by default, Splunk doesn't permit to index a file twice.
So if you deleted the logs from a file in Splunk, to reindex them you have two options:
- index it manually using the guided procedure [Settings -- Add Data];
- change the name of the file, modify your inputs.conf stanza adding "crcSal = <SOURCE>" and restart Splunk on HF.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your reply @gcusello . I have posted the solution that helped fix my issue.
