Getting Data In

Is there a way to add a CRC salt via the CLI?

ogazitt
Explorer

I'm using splunk 4.3.2 on windows (azure). I configure the universal forwarder on a windows server to monitor a directory by shell-exec'ing "splunk add monitor " from a program (unfortunately this must be done programmatically).

Everything works fine but my splunkd.log will sometimes complain that:

File will not be read, is too small to match seekptr checksum (file=C:\Resources\directory\bce7b8e5f5ef487bbc32b177499f8f18.Website.TraceFolder\trace-2012-06-21-22-08-25-980.json). Last time we saw this initcrc, filename was different. You may wish to use a CRC salt on this source. Consult the documentation or file a support case online at http://www.splunk.com/page/submit_issue for more info.

I would like to set a CRC salt on all file sources in this directory, but I would like to do it in the CLI command that I shell-exec when I tell splunk to monitor this directory.

Is this possible?

Tags (3)
1 Solution

hexx
Splunk Employee
Splunk Employee

Yes, you can. Try :

$SPLUNK_HOME/bin/splunk add monitor <path> -crc-salt "<SOURCE>"

View solution in original post

hexx
Splunk Employee
Splunk Employee

Yes, you can. Try :

$SPLUNK_HOME/bin/splunk add monitor <path> -crc-salt "<SOURCE>"

cplarsch
New Member

Just a note as to where this monitor winds up; it is added to the inputs.conf in $SPLUNK_HOME/etc/apps/search/local/.

0 Karma

hexx
Splunk Employee
Splunk Employee

This argument is undocumented in the splunk CLI help at this point. We'll get it in there soon enough, since there is a demand for it.

0 Karma

gibban69
Engager

Still not documented.

splunk@worker-1:/$ date
Wed May 22 12:53:14 UTC 2019
splunk@worker-1:/$ /opt/splunkforwarder/bin/splunk --version
Splunk Universal Forwarder 7.2.6 (build c0bf0f679ce9)
splunk@worker-1:/$ /opt/splunkforwarder/bin/splunk help add monitor



adds monitor directory and file inputs

Syntax:

        add monitor source [-parameter <value>] ...

Objects:

        add monitor                             adds monitor directory and file inputs

Required Parameters:

        (For add monitor)
                source                          path to a file or directory whose contents should be indexed by the Splunk server, and then watched for new input. The Splunk server unpacks tarfiles and compressed files.

Optional Parameters:

        (For add monitor)
                sourcetype                      source type value to set for events from the source

                index                           a local Splunk index to place events from the source. Note: For forwarding instances of Splunk (which typically do not have local indexes), you have to edit the configuration file (inputs.conf) to specify an input for an index on a remote server.

                hostname                        host name to set as the host value

                hostregex                       regular expression of file path to set as the host value

                hostsegmentnum                  number of segments in the file path to set as the host value

                follow-only                     only read from the end of the file (True|False, default=False)

Examples:

        ./splunk add monitor /var/log/

        ./splunk add monitor -source c:\Windows\windowsupdate.log -index newindex

        ./splunk add monitor -source c:\windows\system32\LogFiles\W3SVC

Type "help [command]" to get help with parameters for a specific command.

Complete documentation is available online at: http://docs.splunk.com/Documentation
0 Karma

ogazitt
Explorer

Exactly what I was looking for - thanks! BTW, where did you find this if I may ask? I did a "$SPLUNK_HOME/bin/splunk help add monitor" but didn't see this option.

0 Karma

rovechkin_splun
Splunk Employee
Splunk Employee

you can use Splunk REST API to modify configuraiton:

// to create a stanza

curl -k -u admin:pwd https://localhost:8089/services/properties/inputs -d __stanza=monitor%3A%2F%2FC%3A%5CWINDOWS%5CSystem32

// to set crcSalt

curl -k -u admin:pwd https://localhost:8089/services/properties/inputs/monitor%3A%2F%2FC%3A%5CWINDOWS%5CSystem32 -d crcSalt=%3CSOURCE%3E

or maybe just append new stanza with crcSalt into the end of inputs.conf (e.g. type stanza.file >> inputs.conf) if you can execute elevated scripts? You need to reboot Splunk after that.

ogazitt
Explorer

Thanks - appreciate the pointer about the REST API - I think this would work for me as well! But since I already shell-exec a "splunk add monitor" command from my process, the best solution at this time for me is to just append "-crc-salt" as hexx suggested in his answer.

rovechkin_splun
Splunk Employee
Splunk Employee

try to set crcSalt in inputs.conf. Note that <SOURCE> must be in caps. see also full spec for inputs.conf http://docs.splunk.com/Documentation/Splunk/4.3.2/admin/Inputs.conf

[monitor://path-to-dir]

disabled = false

crcSalt = <SOURCE>

0 Karma

ogazitt
Explorer

Unfortunately, as I mentioned, I don't have the option of editing the Inputs.conf file - I am looking for a way to set the crcSalt option via the Command-Line Interface (CLI) - the moral equivalent of "./splunk add monitor set crcSalt=".

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...