Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Duplicating events on .txt log file
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Duplicating events on .txt log file
julima
New Member
12-03-2013
09:29 AM
Hi
We have a Windows machine that writes events on a log with the .txt extension, monitored by the Splunk Universal Forwarder (monitor stanza). Every time the file changes, Splunk re-read it all and writes this to the splunkd.log:
12-03-2013 15:12:33.432 -0200 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='D:\path\to\file\file.txt'.
12-03-2013 15:12:33.432 -0200 INFO WatchedFile - Will begin reading at offset=0 for file='D:\path\to\file\file.txt'.
We've noticed that this happens to all .txt files that we try to monitor with Splunk. It's like Splunk have a config to deal with .txt files on a different way.
We've tried to setup an props.conf with:
[source::D:\\path\\to\\file\\file.txt]
CHECK_METHOD = endpoint_md5
But Splunk still duplicates the events.
Have anyone seen something like? There is a way to config Splunk to not re-read .txt files on each update?
Thanks!
Julio
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lukejadamec
Super Champion
12-03-2013
09:41 AM
Try adding a CRC Salt, see this post:
http://answers.splunk.com/answers/1568/windows-dhcp-log-files-too-small-to-match-seekptr-checksum
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lukejadamec
Super Champion
12-04-2013
09:28 AM
How large are these files, and there any changes other than at the end of the file?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
julima
New Member
12-04-2013
06:54 AM
Actually we added "crcSalt =
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
12-03-2013
11:52 AM
just to be sure you added "crcSalt =
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
julima
New Member
12-03-2013
10:13 AM
Hi, lukejadamec.
We've already tried "crcSalt =
Now, our stanza uses only index and sourcetype attributes.
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
