Getting Data In

Indexing same file: crcSalt = <SOURCE> not working as expected

lpino
Path Finder

Hello everybody,

I need to ingest into Splunk a CSV file containing an inventory of mobile devices. The HF that monitors such directory is a Red Hat 8 server with Splunk 8.1.0 installed.
Since the file is about an inventory, the CSV file doesn't change frequently, and Splunk complains because the file is the same of the first indexed:

 

02-12-2021 03:00:04.466 +0100 ERROR TailReader - File will not be read, is too small to match seekptr checksum (file=/path/to/file/filename_YYYY_mm_DD_HH_MM_SS_MILLIS.csv).  Last time we saw this initcrc, filename was different.  You may wish to use larger initCrcLen for this sourcetype, or a CRC salt on this source.  Consult the documentation or file a support case online at http://www.splunk.com/page/submit_issue for more info.

 

As suggested in other posts, I added the following line in inputs.conf:

 

crcSalt = <SOURCE>

 

The CSV file is downloaded once a day using a REST call, and the file name has the timestamp appended at the end of the name, so I expected this option would help me to overcome the issue. But, despite I set the crcSalt, Splunk is keeping on complaining, skipping the file and giving me the same message as above.
Any idea about this issue? Am I doing anything wrong?
Thanks in advance

Labels (4)
Tags (2)
0 Karma
1 Solution

lpino
Path Finder

I solved simply by putting this into props.conf:

CHECK_METHOD = modtime

Now it works as expected.

View solution in original post

0 Karma

lpino
Path Finder

I solved simply by putting this into props.conf:

CHECK_METHOD = modtime

Now it works as expected.

0 Karma

actionabledata
Path Finder

Which takes precedence: the props.conf setting (CHECK_METHOD) or the inputs.conf setting (crcSALT)?

CHECK_METHOD = modtime
# Notes from props.conf spec
Set CHECK_METHOD to "modtime" to check only the modification
time of the file.
crcSalt = <SOURCE>
# Notes from inputs.conf spec
# If set to the literal string "<SOURCE>" (including the angle brackets), the
# full directory path to the source file is added to the CRC. This ensures
# that each file being monitored has a unique CRC. When 'crcSalt' is invoked,
# it is usually set to <SOURCE>. 

 

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...