How to properly disable a WatchedFile using the Un...

thabben · ‎08-02-2017

On Solaris 10/11 - Our $SPLUNK_HOME/var/log/splunk/splunkd.log file has many of the following messages, 1 per second every minute.

08-02-2017 18:04:06.787 -0500 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/etc/dfs/sharetab'.

I have tried various configs with the $SPLUNK_HOME/etc/system/local/inputs.conf [blacklist:///etc/dfs/] and [monitor://] with disable = true, but nothing works.
Thanks.

micahkemp · ‎01-12-2018

You can determine which monitor stanza is responsible for this by examining the output of:

splunk list monitor

After which you can work to tune your blacklist/whitelist to try to prevent it from being indexed.

morgan03 · ‎01-11-2018

Do you install unix app?

I get same information

01-11-2018 16:36:05.204 +0800 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/etc/dfs/sharetab'.
01-11-2018 16:36:06.266 +0800 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/etc/dfs/sharetab'.

I found the app inputs.conf

[monitor:///etc]
_whitelist=(.conf|.cfg|config$|.ini|.init|.cf|.cnf|shrc$|^ifcfg|.profile|.rc|.rules|.tab|tab$|.login|policy$)
blacklist = etc/dfs/*
index=os
disabled = 0

The message won't be happened.

It's useful for me. maybe you can try it.

How to properly disable a WatchedFile using the Universal Forwarder?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation