Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Different path from Splunk Universal Forwarder with same log file name, however, cannot recognize one of the path's log file

lsmkelvin
New Member
‎08-30-2012 07:17 PM

Here is the details.

Server 1:
path=/appl/abc/log/access.yyyyMMdd.HHmmss.log
Which is ok for Server 1.

Server 2:
path=/appl/def/log/access.yyyyMMdd.HHmmss.log
I extracted Server 2 splunkd.log and the message as below.
"08-30-2012 10:28:11.478 +0800 ERROR TailingProcessor - File will not be read, seekptr checksum did not match (file=/appl/def/log/access.yyyyMMdd.HHmmss.log). Last time we saw this initcrc, filename was different. You may wish to use a CRC salt on this source. Consult the documentation or file a support case online at http://www.splunk.com/page/submit_issue for more info."

For those server inputs.conf setting, which are same, just only the path location is different. Also, i indexed to different index as well with using different app.

Can anyone help to fix this problem?

Thanks
Kelvin

Tags (1)
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎08-30-2012 10:33 PM

Hi Ismkelvin

the message says it all, the file was ignored because of a CRC match. If you want to index this file you have to add the crcSalt = to your inputs.conf. This will tell Splunk to include the path name in the checksum.

read more about it here and follow the docs; SOURCE must be in angle brackets 😉

but also be warned, that including crcSalt can lead to double indexing of files.

cheers,

MuS

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...