Solved: Re: Batch input not working. Please help troublesh...

dm1 · ‎08-02-2021

There is a csv file I had added to a a directory which HF monitors.

That input is set as Batch input.

Because there was some issue with the data was getting formatted, I deleted the results from the search head using | delete command.

After that to re-ingest, I followed same procedue to reingest the csv file.

After the file is added to the directory, it gets deleted due to the move to sink hole policy.

However, when I do a search for the same log, nothing shows up.

Can someone please help why this is happening and how it can be fixed ?

dm1 · ‎08-03-2021

Adding the below setting in batch stanza within inputs.conf helped me re-ingest the same file

initCrcLength = 1028

FYI, the value cannot be less than 256 or more than 1048576.

dm1 · ‎08-03-2021

Adding the below setting in batch stanza within inputs.conf helped me re-ingest the same file

initCrcLength = 1028

FYI, the value cannot be less than 256 or more than 1048576.

gcusello · ‎08-03-2021

Good for you, see next time!

Ciao and Happy splunking.

Giuseppe

P.S.: Karma points are appreciated by all the Contributors 😉

gcusello · ‎08-03-2021

by default, Splunk doesn't permit to index a file twice.

So if you deleted the logs from a file in Splunk, to reindex them you have two options:

index it manually using the guided procedure [Settings -- Add Data];
change the name of the file, modify your inputs.conf stanza adding "crcSal = <SOURCE>" and restart Splunk on HF.

Ciao.

Giuseppe

dm1 · ‎08-03-2021

Thanks for your reply @gcusello . I have posted the solution that helped fix my issue.

Batch input not working. Please help troubleshoot it