Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Different path from Splunk Universal Forwarder with same log file name, however, cannot recognize one of the path's log file

lsmkelvin
New Member
‎08-30-2012 07:17 PM

Here is the details.

Server 1:
path=/appl/abc/log/access.yyyyMMdd.HHmmss.log
Which is ok for Server 1.

Server 2:
path=/appl/def/log/access.yyyyMMdd.HHmmss.log
I extracted Server 2 splunkd.log and the message as below.
"08-30-2012 10:28:11.478 +0800 ERROR TailingProcessor - File will not be read, seekptr checksum did not match (file=/appl/def/log/access.yyyyMMdd.HHmmss.log). Last time we saw this initcrc, filename was different. You may wish to use a CRC salt on this source. Consult the documentation or file a support case online at http://www.splunk.com/page/submit_issue for more info."

For those server inputs.conf setting, which are same, just only the path location is different. Also, i indexed to different index as well with using different app.

Can anyone help to fix this problem?

Thanks
Kelvin

Tags (1)
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎08-30-2012 10:33 PM

Hi Ismkelvin

the message says it all, the file was ignored because of a CRC match. If you want to index this file you have to add the crcSalt = to your inputs.conf. This will tell Splunk to include the path name in the checksum.

read more about it here and follow the docs; SOURCE must be in angle brackets 😉

but also be warned, that including crcSalt can lead to double indexing of files.

cheers,

MuS

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...