Getting Data In
Highlighted

Log file is no not shipping since being deleted

New Member

I had deleted a rouge log file which had become too large and caused the root partition to fill up. The log file has since been regenerated by the application and is now no longer shipping to spunk.

I have tried to "splunk restart -auth USER:PASSWORD" but receive the bellow error.

splunkd is not running.

Splunk> Like an F-18, bro.

Checking prerequisites...
    Checking mgmt port [8089]: open
    Checking conf files for problems...
        Invalid key in stanza [tcpout:splunkcloud] in /opt/splunkforwarder/etc/apps/100_splunkcloud/default/outputs.conf, line 16: cipherSuite  ( REMOVED).
        Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
    Done
    Checking default conf files for edits...
    Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-6.4.1-debde650d26e-linux-2.6-x86_64-manifest'
    All installed files intact.
    Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
Bad Option -a
Usage: splunkd [OPTION...]
  --nodaemon      causes the system not to daemonize
  -c STRING       override the config path
  -h              no longer supported
  -i              no longer supported
  -n STRING       the component name to start with
  -p INT          the management port Splunkd will listen on
  --debug         start with debug log config

Help options:
  -?, --help      Show this help message
  --usage         Display brief usage message

splunkd.log

05-03-2019 05:51:16.268 +0000 ERROR TailReader - File will not be read, seekptr checksum did not match (file=/home/jenkins/consolidation.log).  Last time we saw this initcrc, filename was different.  You may wish to use larger initCrcLen for this sourcetype, or a CRC salt on this source.  Consult the documentation or file a support case online at http://www.splunk.com/page/submit_issue for more info. 

Many thanks,

0 Karma
Highlighted

Re: Log file is no not shipping since being deleted

Motivator

It appears you have two issues going on here.
First, it is not necessary to pass in "auth" to restart splunk, and is actually invalid as you can see from your output.

Next, you have a syntax error in your outputs.conf that you should check using btool.

splunk btool check --debug

If you still have problems with that file after correcting those issues I would suggest you also add crcSalt to your inputs.conf for the directory you are monitoring.

crcSalt = <SOURCE>