Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to exclude from monitoring empty files?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
apakhomov
Path Finder
07-02-2015
01:58 AM
Hello,
Monitor folders have many empty files. These files may be filled in the future. So I can't add them to a blacklist.
As result the log file splunkd.log has huge amount messages:
INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='<filename>'.
I don't want to reduce the log level.
Is it possible to exclude from monitoring empty files to reduce the message count in the log?
--
Best regards, Artem.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-02-2015
05:51 AM
You could dump some filler into each file:
echo "FILLER: This is not real data but just filler text to suppress this log: INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='<filename>'." > <filename>.
Then configre props.conf and transforms.conf to send these events to nullQueue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-02-2015
05:51 AM
You could dump some filler into each file:
echo "FILLER: This is not real data but just filler text to suppress this log: INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='<filename>'." > <filename>.
Then configre props.conf and transforms.conf to send these events to nullQueue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
apakhomov
Path Finder
07-15-2015
12:15 AM
Hello, sorry for the delay.
It is fantastic solution and I marked this as a solution. But unfortunately I can't to change the source files (even empty).
Best regards, Artem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-15-2015
07:41 AM
Whatever you do, DO NOT use ignoreOlderThan because once Splunk ignores a file via this control, it will never check it again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
apakhomov
Path Finder
07-15-2015
07:48 AM
ok, thank you for the useful information.
Best regards, Artem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
apakhomov
Path Finder
07-15-2015
10:55 PM
Universal forwarder start to reindex files when I commented the ignoreOlderThan parameter. I saw it today. The bitter experience with another task.
Best regards, Artem.
Get Updates on the Splunk Community!
OpenTelemetry for Legacy Apps? Yes, You Can!
This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...
UCC Framework: Discover Developer Toolkit for Building Technology Add-ons
The Next-Gen Toolkit for Splunk Technology Add-on Development
The Universal Configuration Console (UCC) ...
.conf25 Community Recap
Hello Splunkers,
And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...
