Getting Data In
Highlighted

How to manage indexing rolling log files without duplicating data in the Index

Path Finder

We are testing in a high throughput environment capturing logs that grow to 251MB in ~ 4-6 minutes at which time the logs are rolled to a dated log file.

e.g. test.log -> test.log.20110315042946

The problems is that Splunk thinks we have already indexed one or more of the rolled log files, and results in us missing data from the performance run. I have read about using the crcSalt but to avoid using that on rotating log files.

03-15-2011 09:38:04.028 ERROR TailingProcessor - Ignoring path due to: File will not be read, seekptr checksum did not match (file=/opt/perf/gett/log/test.log.20110315091120). Last time we saw this initcrc, filename was different. You may wish to use a CRC salt on this source. Consult the documentation or contact Splunk Support for more info.

Can someone suggest how this problem can be managed?

Tags (1)
0 Karma
Highlighted

Re: How to manage indexing rolling log files without duplicating data in the Index

Communicator

Could you name the log file with the associated date / time value at the beginning rather than changing it afterwards?

0 Karma
Highlighted

Re: How to manage indexing rolling log files without duplicating data in the Index

Splunk Employee
Splunk Employee

Are the files simply renamed when they are rolled? What is the inputs.conf stanza that you are using to monitor the files?

0 Karma
Highlighted

Re: How to manage indexing rolling log files without duplicating data in the Index

Path Finder

Hi All.. Thanks for the help. We found that the rolling log file was also being renamed by another log archiving process.

What was happenning was the log would be rolled to test.log.1

Then, the archving process would rename it to test.log.20110316

We think that Splunk was seeing the log in the .1 format and when the file name changed to .2011*, the CRC had issues.

After changing our inputs.conf, we are not seeing the issue..

We were monitoring test.log* and now only monitor test.log and test.log.2011*

0 Karma