Getting Data In

Duplicating events on .txt log file

New Member

Hi

We have a Windows machine that writes events on a log with the .txt extension, monitored by the Splunk Universal Forwarder (monitor stanza). Every time the file changes, Splunk re-read it all and writes this to the splunkd.log:

12-03-2013 15:12:33.432 -0200 INFO  WatchedFile - File too small to check seekcrc, probably truncated.  Will re-read entire file='D:\path\to\file\file.txt'.
12-03-2013 15:12:33.432 -0200 INFO  WatchedFile - Will begin reading at offset=0 for file='D:\path\to\file\file.txt'.

We've noticed that this happens to all .txt files that we try to monitor with Splunk. It's like Splunk have a config to deal with .txt files on a different way.

We've tried to setup an props.conf with:

[source::D:\\path\\to\\file\\file.txt]
CHECK_METHOD = endpoint_md5

But Splunk still duplicates the events.

Have anyone seen something like? There is a way to config Splunk to not re-read .txt files on each update?

Thanks!
Julio

0 Karma

Super Champion
0 Karma

Super Champion

How large are these files, and there any changes other than at the end of the file?

0 Karma

New Member

Actually we added "crcSalt = " (UPPERCASE). And yes, we restarted the Splunk instance.

0 Karma

SplunkTrust
SplunkTrust

just to be sure you added "crcSalt = " (sometime case makes difference) and restarted splunk instance?

0 Karma

New Member

Hi, lukejadamec.

We've already tried "crcSalt = " to the monitor stanza, but it didn't work =[

Now, our stanza uses only index and sourcetype attributes.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!