Getting Data In

Indexing same file: crcSalt = <SOURCE> not working as expected

lpino
Path Finder

Hello everybody,

I need to ingest into Splunk a CSV file containing an inventory of mobile devices. The HF that monitors such directory is a Red Hat 8 server with Splunk 8.1.0 installed.
Since the file is about an inventory, the CSV file doesn't change frequently, and Splunk complains because the file is the same of the first indexed:

 

02-12-2021 03:00:04.466 +0100 ERROR TailReader - File will not be read, is too small to match seekptr checksum (file=/path/to/file/filename_YYYY_mm_DD_HH_MM_SS_MILLIS.csv).  Last time we saw this initcrc, filename was different.  You may wish to use larger initCrcLen for this sourcetype, or a CRC salt on this source.  Consult the documentation or file a support case online at http://www.splunk.com/page/submit_issue for more info.

 

As suggested in other posts, I added the following line in inputs.conf:

 

crcSalt = <SOURCE>

 

The CSV file is downloaded once a day using a REST call, and the file name has the timestamp appended at the end of the name, so I expected this option would help me to overcome the issue. But, despite I set the crcSalt, Splunk is keeping on complaining, skipping the file and giving me the same message as above.
Any idea about this issue? Am I doing anything wrong?
Thanks in advance

Labels (4)
Tags (2)
0 Karma
1 Solution

lpino
Path Finder

I solved simply by putting this into props.conf:

CHECK_METHOD = modtime

Now it works as expected.

View solution in original post

0 Karma

lpino
Path Finder

I solved simply by putting this into props.conf:

CHECK_METHOD = modtime

Now it works as expected.

0 Karma

actionabledata
Path Finder

Which takes precedence: the props.conf setting (CHECK_METHOD) or the inputs.conf setting (crcSALT)?

CHECK_METHOD = modtime
# Notes from props.conf spec
Set CHECK_METHOD to "modtime" to check only the modification
time of the file.
crcSalt = <SOURCE>
# Notes from inputs.conf spec
# If set to the literal string "<SOURCE>" (including the angle brackets), the
# full directory path to the source file is added to the CRC. This ensures
# that each file being monitored has a unique CRC. When 'crcSalt' is invoked,
# it is usually set to <SOURCE>. 

 

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...