Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to manage indexing rolling log files without duplicating data in the Index

ericrobinson
Path Finder
‎03-15-2011 04:51 PM

We are testing in a high throughput environment capturing logs that grow to 251MB in ~ 4-6 minutes at which time the logs are rolled to a dated log file.

e.g. test.log -> test.log.20110315042946

The problems is that Splunk thinks we have already indexed one or more of the rolled log files, and results in us missing data from the performance run. I have read about using the crcSalt but to avoid using that on rotating log files.

03-15-2011 09:38:04.028 ERROR TailingProcessor - Ignoring path due to: File will not be read, seekptr checksum did not match (file=/opt/perf/gett/log/test.log.20110315091120). Last time we saw this initcrc, filename was different. You may wish to use a CRC salt on this source. Consult the documentation or contact Splunk Support for more info.

Can someone suggest how this problem can be managed?

Tags (1)
0 Karma
Reply

ericrobinson
Path Finder
‎03-16-2011 05:12 PM

Hi All.. Thanks for the help. We found that the rolling log file was also being renamed by another log archiving process.

What was happenning was the log would be rolled to test.log.1

Then, the archving process would rename it to test.log.20110316

We think that Splunk was seeing the log in the .1 format and when the file name changed to .2011*, the CRC had issues.

After changing our inputs.conf, we are not seeing the issue..

We were monitoring test.log* and now only monitor test.log and test.log.2011*

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎03-15-2011 09:33 PM

Are the files simply renamed when they are rolled? What is the inputs.conf stanza that you are using to monitor the files?

0 Karma
Reply

netwrkr
Communicator
‎03-15-2011 08:07 PM

Could you name the log file with the associated date / time value at the beginning rather than changing it afterwards?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...