Getting Data In

Log file is no not shipping since being deleted

New Member

I had deleted a rouge log file which had become too large and caused the root partition to fill up. The log file has since been regenerated by the application and is now no longer shipping to spunk.

I have tried to "splunk restart -auth USER:PASSWORD" but receive the bellow error.

splunkd is not running.

Splunk> Like an F-18, bro.

Checking prerequisites...
    Checking mgmt port [8089]: open
    Checking conf files for problems...
        Invalid key in stanza [tcpout:splunkcloud] in /opt/splunkforwarder/etc/apps/100_splunkcloud/default/outputs.conf, line 16: cipherSuite  ( REMOVED).
        Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
    Checking default conf files for edits...
    Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-6.4.1-debde650d26e-linux-2.6-x86_64-manifest'
    All installed files intact.
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
Bad Option -a
Usage: splunkd [OPTION...]
  --nodaemon      causes the system not to daemonize
  -c STRING       override the config path
  -h              no longer supported
  -i              no longer supported
  -n STRING       the component name to start with
  -p INT          the management port Splunkd will listen on
  --debug         start with debug log config

Help options:
  -?, --help      Show this help message
  --usage         Display brief usage message


05-03-2019 05:51:16.268 +0000 ERROR TailReader - File will not be read, seekptr checksum did not match (file=/home/jenkins/consolidation.log).  Last time we saw this initcrc, filename was different.  You may wish to use larger initCrcLen for this sourcetype, or a CRC salt on this source.  Consult the documentation or file a support case online at for more info. 

Many thanks,

0 Karma


It appears you have two issues going on here.
First, it is not necessary to pass in "auth" to restart splunk, and is actually invalid as you can see from your output.

Next, you have a syntax error in your outputs.conf that you should check using btool.

splunk btool check --debug

If you still have problems with that file after correcting those issues I would suggest you also add crcSalt to your inputs.conf for the directory you are monitoring.

crcSalt = <SOURCE>
An upvote would be appreciated and Accept Solution if it helps!
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...