Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Getting Data In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to exclude from monitoring empty files?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
apakhomov
Path Finder
07-02-2015
01:58 AM
Hello,
Monitor folders have many empty files. These files may be filled in the future. So I can't add them to a blacklist.
As result the log file splunkd.log has huge amount messages:
INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='<filename>'.
I don't want to reduce the log level.
Is it possible to exclude from monitoring empty files to reduce the message count in the log?
--
Best regards, Artem.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-02-2015
05:51 AM
You could dump some filler into each file:
echo "FILLER: This is not real data but just filler text to suppress this log: INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='<filename>'." > <filename>.
Then configre props.conf and transforms.conf to send these events to nullQueue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-02-2015
05:51 AM
You could dump some filler into each file:
echo "FILLER: This is not real data but just filler text to suppress this log: INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='<filename>'." > <filename>.
Then configre props.conf and transforms.conf to send these events to nullQueue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
apakhomov
Path Finder
07-15-2015
12:15 AM
Hello, sorry for the delay.
It is fantastic solution and I marked this as a solution. But unfortunately I can't to change the source files (even empty).
Best regards, Artem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-15-2015
07:41 AM
Whatever you do, DO NOT use ignoreOlderThan because once Splunk ignores a file via this control, it will never check it again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
apakhomov
Path Finder
07-15-2015
07:48 AM
ok, thank you for the useful information.
Best regards, Artem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
apakhomov
Path Finder
07-15-2015
10:55 PM
Universal forwarder start to reindex files when I commented the ignoreOlderThan parameter. I saw it today. The bitter experience with another task.
Best regards, Artem.
Get Updates on the Splunk Community!
Get Schooled with Splunk Education: Explore Our Latest Courses
At Splunk Education, we’re dedicated to providing incredible learning experiences that cater to every skill ...
Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL
Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL
The Splunk AI Assistant for SPL ...
Buttercup Games: Further Dashboarding Techniques (Part 5)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
