I'm using splunk 4.3.2 on windows (azure). I configure the universal forwarder on a windows server to monitor a directory by shell-exec'ing "splunk add monitor
Everything works fine but my splunkd.log will sometimes complain that:
File will not be read, is too small to match seekptr checksum (file=C:\Resources\directory\bce7b8e5f5ef487bbc32b177499f8f18.Website.TraceFolder\trace-2012-06-21-22-08-25-980.json). Last time we saw this initcrc, filename was different. You may wish to use a CRC salt on this source. Consult the documentation or file a support case online at http://www.splunk.com/page/submit_issue for more info.
I would like to set a CRC salt on all file sources in this directory, but I would like to do it in the CLI command that I shell-exec when I tell splunk to monitor this directory.
Is this possible?
Yes, you can. Try :
$SPLUNK_HOME/bin/splunk add monitor <path> -crc-salt "<SOURCE>"
Yes, you can. Try :
$SPLUNK_HOME/bin/splunk add monitor <path> -crc-salt "<SOURCE>"
Just a note as to where this monitor winds up; it is added to the inputs.conf in $SPLUNK_HOME/etc/apps/search/local/.
This argument is undocumented in the splunk CLI help at this point. We'll get it in there soon enough, since there is a demand for it.
Still not documented.
splunk@worker-1:/$ date
Wed May 22 12:53:14 UTC 2019
splunk@worker-1:/$ /opt/splunkforwarder/bin/splunk --version
Splunk Universal Forwarder 7.2.6 (build c0bf0f679ce9)
splunk@worker-1:/$ /opt/splunkforwarder/bin/splunk help add monitor
adds monitor directory and file inputs
Syntax:
add monitor source [-parameter <value>] ...
Objects:
add monitor adds monitor directory and file inputs
Required Parameters:
(For add monitor)
source path to a file or directory whose contents should be indexed by the Splunk server, and then watched for new input. The Splunk server unpacks tarfiles and compressed files.
Optional Parameters:
(For add monitor)
sourcetype source type value to set for events from the source
index a local Splunk index to place events from the source. Note: For forwarding instances of Splunk (which typically do not have local indexes), you have to edit the configuration file (inputs.conf) to specify an input for an index on a remote server.
hostname host name to set as the host value
hostregex regular expression of file path to set as the host value
hostsegmentnum number of segments in the file path to set as the host value
follow-only only read from the end of the file (True|False, default=False)
Examples:
./splunk add monitor /var/log/
./splunk add monitor -source c:\Windows\windowsupdate.log -index newindex
./splunk add monitor -source c:\windows\system32\LogFiles\W3SVC
Type "help [command]" to get help with parameters for a specific command.
Complete documentation is available online at: http://docs.splunk.com/Documentation
Exactly what I was looking for - thanks! BTW, where did you find this if I may ask? I did a "$SPLUNK_HOME/bin/splunk help add monitor" but didn't see this option.
you can use Splunk REST API to modify configuraiton:
// to create a stanza
curl -k -u admin:pwd https://localhost:8089/services/properties/inputs -d __stanza=monitor%3A%2F%2FC%3A%5CWINDOWS%5CSystem32
// to set crcSalt
curl -k -u admin:pwd https://localhost:8089/services/properties/inputs/monitor%3A%2F%2FC%3A%5CWINDOWS%5CSystem32 -d crcSalt=%3CSOURCE%3E
or maybe just append new stanza with crcSalt into the end of inputs.conf (e.g. type stanza.file >> inputs.conf) if you can execute elevated scripts? You need to reboot Splunk after that.
Thanks - appreciate the pointer about the REST API - I think this would work for me as well! But since I already shell-exec a "splunk add monitor" command from my process, the best solution at this time for me is to just append "-crc-salt" as hexx suggested in his answer.
try to set crcSalt in inputs.conf. Note that <SOURCE> must be in caps. see also full spec for inputs.conf http://docs.splunk.com/Documentation/Splunk/4.3.2/admin/Inputs.conf
[monitor://path-to-dir]
disabled = false
crcSalt = <SOURCE>
Unfortunately, as I mentioned, I don't have the option of editing the Inputs.conf file - I am looking for a way to set the crcSalt option via the Command-Line Interface (CLI) - the moral equivalent of "./splunk add monitor