Getting Data In

Indexing same file: crcSalt = <SOURCE> not working as expected

lpino
Path Finder

Hello everybody,

I need to ingest into Splunk a CSV file containing an inventory of mobile devices. The HF that monitors such directory is a Red Hat 8 server with Splunk 8.1.0 installed.
Since the file is about an inventory, the CSV file doesn't change frequently, and Splunk complains because the file is the same of the first indexed:

 

02-12-2021 03:00:04.466 +0100 ERROR TailReader - File will not be read, is too small to match seekptr checksum (file=/path/to/file/filename_YYYY_mm_DD_HH_MM_SS_MILLIS.csv).  Last time we saw this initcrc, filename was different.  You may wish to use larger initCrcLen for this sourcetype, or a CRC salt on this source.  Consult the documentation or file a support case online at http://www.splunk.com/page/submit_issue for more info.

 

As suggested in other posts, I added the following line in inputs.conf:

 

crcSalt = <SOURCE>

 

The CSV file is downloaded once a day using a REST call, and the file name has the timestamp appended at the end of the name, so I expected this option would help me to overcome the issue. But, despite I set the crcSalt, Splunk is keeping on complaining, skipping the file and giving me the same message as above.
Any idea about this issue? Am I doing anything wrong?
Thanks in advance

Labels (4)
Tags (2)
0 Karma
1 Solution

lpino
Path Finder

I solved simply by putting this into props.conf:

CHECK_METHOD = modtime

Now it works as expected.

View solution in original post

0 Karma

lpino
Path Finder

I solved simply by putting this into props.conf:

CHECK_METHOD = modtime

Now it works as expected.

0 Karma

actionabledata
Path Finder

Which takes precedence: the props.conf setting (CHECK_METHOD) or the inputs.conf setting (crcSALT)?

CHECK_METHOD = modtime
# Notes from props.conf spec
Set CHECK_METHOD to "modtime" to check only the modification
time of the file.
crcSalt = <SOURCE>
# Notes from inputs.conf spec
# If set to the literal string "<SOURCE>" (including the angle brackets), the
# full directory path to the source file is added to the CRC. This ensures
# that each file being monitored has a unique CRC. When 'crcSalt' is invoked,
# it is usually set to <SOURCE>. 

 

Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...