Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I'm getting an error for some files I am monitoring about hitting EOF while computing CRC. What does this mean?

the_wolverine
Champion
‎02-12-2010 10:17 PM

I'm seeing the following errors in splunkd.log and my file isn't being monitored properly -- the events don't seem to be coming in anymore!

FileInputTracker - Stored seekPtr longer than file: /opt/IBM/WebSphere/AppServer/myServer/SystemOut.log.
FileInputTracker - Read a similar file to this that was longer. Perhaps you have two files that have the same content.
FileInputTracker - Hit EOF while computing CRC: 0/256.
FileInputTracker - Couldn't get CRC for file: /opt/IBM/WebSphere/AppServer/myServer/SystemOut.log

What could be the issue?

Reply
1 Solution
Solved! Jump to solution
Solution

the_wolverine
Champion
‎02-12-2010 10:28 PM

This means that Splunk cannot get a correct read on the file to calculate the CRC. Or, the file may be the same as another file. To workaround, add the following setting to the appropriate monitor stanza in $SPLUNK_HOME/etc/system/local/inputs.conf: crcSalt = <SOURCE>

For example:

[monitor:///opt/IBM/WebSphere/AppServer/myServer/SystemOut.log]
crcSalt = <SOURCE>

*NOTE: the example above is literal/verbatim. You will need to enter it exactly as specified in the example above including exact case/capitalization.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

shirolu
Explorer
‎06-01-2010 01:49 PM

CrcSalt = I set the parameters in the input.conf

I have the right information into the index

But the data

The emergence of many duplicate information

How do I remove the duplicate information to

CT

0 Karma
Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎03-13-2010 05:56 AM

The "simialr file to this that was longer" message typically means you've got files with headers, so more than one looks the same, and when the log rolls, splunk is a bit unsure what the story is.

The "hit EOF while computing CRC: 0/256" means that, as you say, we failed to grab a CRC from the file, which could be because it's too short (under 256 bytes), or sometimes it can indicate weird read errors that splunk didn't expect.

If you're seeing these within milliseconds of each other, you may want to take a closer look at what's going on with the files before taking action.

0 Karma
Reply
Solved! Jump to solution
Solution

the_wolverine
Champion
‎02-12-2010 10:28 PM

This means that Splunk cannot get a correct read on the file to calculate the CRC. Or, the file may be the same as another file. To workaround, add the following setting to the appropriate monitor stanza in $SPLUNK_HOME/etc/system/local/inputs.conf: crcSalt = <SOURCE>

For example:

[monitor:///opt/IBM/WebSphere/AppServer/myServer/SystemOut.log]
crcSalt = <SOURCE>

*NOTE: the example above is literal/verbatim. You will need to enter it exactly as specified in the example above including exact case/capitalization.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...