Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Duplicating events on .txt log file

julima
New Member
‎12-03-2013 09:29 AM

Hi

We have a Windows machine that writes events on a log with the .txt extension, monitored by the Splunk Universal Forwarder (monitor stanza). Every time the file changes, Splunk re-read it all and writes this to the splunkd.log:

12-03-2013 15:12:33.432 -0200 INFO  WatchedFile - File too small to check seekcrc, probably truncated.  Will re-read entire file='D:\path\to\file\file.txt'.
12-03-2013 15:12:33.432 -0200 INFO  WatchedFile - Will begin reading at offset=0 for file='D:\path\to\file\file.txt'.

We've noticed that this happens to all .txt files that we try to monitor with Splunk. It's like Splunk have a config to deal with .txt files on a different way.

We've tried to setup an props.conf with:

[source::D:\\path\\to\\file\\file.txt]
CHECK_METHOD = endpoint_md5

But Splunk still duplicates the events.

Have anyone seen something like? There is a way to config Splunk to not re-read .txt files on each update?

Thanks!
Julio

0 Karma
Reply

lukejadamec
Super Champion
‎12-03-2013 09:41 AM

Try adding a CRC Salt, see this post:

http://answers.splunk.com/answers/1568/windows-dhcp-log-files-too-small-to-match-seekptr-checksum

0 Karma
Reply

lukejadamec
Super Champion
‎12-04-2013 09:28 AM

How large are these files, and there any changes other than at the end of the file?

0 Karma
Reply

julima
New Member
‎12-04-2013 06:54 AM

Actually we added "crcSalt = " (UPPERCASE). And yes, we restarted the Splunk instance.

0 Karma
Reply

somesoni2
Revered Legend
‎12-03-2013 11:52 AM

just to be sure you added "crcSalt = " (sometime case makes difference) and restarted splunk instance?

0 Karma
Reply

julima
New Member
‎12-03-2013 10:13 AM

Hi, lukejadamec.

We've already tried "crcSalt = " to the monitor stanza, but it didn't work =[

Now, our stanza uses only index and sourcetype attributes.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...