Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Interpreting errors after deleting Splunk log files

aafogles
Explorer
‎05-22-2014 08:26 AM

I'm reinstalling some UFs in my VM network. I'm using a suggestion posted in http://answers.splunk.com/answers/86950/upgrading-the-universal-forwarder-from-32bit-to-64bit

1 - backup the $SPLUNK_HOME/etc/ folder 2 - backup the $SPLUNK_HOME/var/ folder 3 - remove the old 32bit installation 4 - install the new one (same version but 64bit) 5 - copy back the etc folder to replace 6 - copy back the var folder to replace 7 - start splunk

Due to size restrictions of my /opt directory in my VMs, I'd like to wipe the .../log/splunk directory (most are over 100MB in size) before backing up the .../var directory. However, when the change is complete, I get a batch off errors like the one below. I see that my log files are still being written to, but I'm having a hard time testing what's going on in terms of indexing the sourcetype 'splunkd'. Is the error below a one time thing or will the UFs no longer tail any log files (i.e., the new ones)? If not, will they reindex on every restart or or simply not index at all? Would there be a way to correct it, via Splunk command, conf file, or refresh? Thanks!

05-21-2014 16:42:11.979 -0400 ERROR TailingProcessor - Invalid value ' ' for parameter ‘detect_trailing nulls’ for source ‘/opt/splunkforwarder/var/log/splunk/metrics.log’, sourcetype ‘splunkd’. Assuming default of ‘false’.

0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎09-04-2014 09:49 AM

This error means that the system cannot find a configuration value for this setting for those files. Most likely something irregular happened regarding the default conf files as they are perceived in memory, and wiping the log dir forced splunk to re-consider the splunk-specific logfiles. When tailing starts working on a file, it computes the configurations to use. In this case, an expected setting was not available or was set to blank, and you got a error.

One possibility is that you upgraded from a version that does not have detect_trailing_nulls support, to a version that does, but reinstated the conf files from the older version.

This message is emitted as an ERROR because it indicates that the conf files being used are not in a valid state. However, this specific setting being missing will not affect behavior, as the message states, because it is assuming the default of false and proceeding.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...