_TCP_ROUTING = forward_logs
disabled = false
index = 1idx1
sourcetype = LOGS
crcSalt = <SOURCE>
Even though our inputs.conf has crcSalt=<SOURCE>, we see following info messages in splunkd.log and entire log file is getting reindexed for each log entry. Can you please confirm if any other parameters are needed?
11-17-2020 05:07:22.103 -0700 INFO WatchedFile - Checksum for seekptr didn't match, will re-read entire file='Xyz.log'.
11-17-2020 05:07:22.103 -0700 INFO WatchedFile - Will begin reading at offset=0 for file='Xyz.log'.
11-17-2020 05:07:22.104 -0700 WARN CsvLineBreaker - CSV StreamId: 8593577840253621053 has empty line. - data_source="Xyz.log"
Can you share some sample events from that file? Are they very small?
Try setting the initCrcLength setting to a value higher than 256. How high depends on how far into the file Splunk has to read to find a change.