Hello everybody,
I need to ingest into Splunk a CSV file containing an inventory of mobile devices. The HF that monitors such directory is a Red Hat 8 server with Splunk 8.1.0 installed.
Since the file is about an inventory, the CSV file doesn't change frequently, and Splunk complains because the file is the same of the first indexed:
02-12-2021 03:00:04.466 +0100 ERROR TailReader - File will not be read, is too small to match seekptr checksum (file=/path/to/file/filename_YYYY_mm_DD_HH_MM_SS_MILLIS.csv). Last time we saw this initcrc, filename was different. You may wish to use larger initCrcLen for this sourcetype, or a CRC salt on this source. Consult the documentation or file a support case online at http://www.splunk.com/page/submit_issue for more info.
As suggested in other posts, I added the following line in inputs.conf:
crcSalt = <SOURCE>
The CSV file is downloaded once a day using a REST call, and the file name has the timestamp appended at the end of the name, so I expected this option would help me to overcome the issue. But, despite I set the crcSalt, Splunk is keeping on complaining, skipping the file and giving me the same message as above.
Any idea about this issue? Am I doing anything wrong?
Thanks in advance
I solved simply by putting this into props.conf:
CHECK_METHOD = modtime
Now it works as expected.
I solved simply by putting this into props.conf:
CHECK_METHOD = modtime
Now it works as expected.
Which takes precedence: the props.conf setting (CHECK_METHOD) or the inputs.conf setting (crcSALT)?
CHECK_METHOD = modtime
# Notes from props.conf spec
Set CHECK_METHOD to "modtime" to check only the modification
time of the file.
crcSalt = <SOURCE>
# Notes from inputs.conf spec
# If set to the literal string "<SOURCE>" (including the angle brackets), the
# full directory path to the source file is added to the CRC. This ensures
# that each file being monitored has a unique CRC. When 'crcSalt' is invoked,
# it is usually set to <SOURCE>.