Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Log file is no not shipping since being deleted

claydb
New Member
‎05-03-2019 04:21 AM

I had deleted a rouge log file which had become too large and caused the root partition to fill up. The log file has since been regenerated by the application and is now no longer shipping to spunk.

I have tried to "splunk restart -auth USER:PASSWORD" but receive the bellow error. 

splunkd is not running.

Splunk> Like an F-18, bro.

Checking prerequisites...
    Checking mgmt port [8089]: open
    Checking conf files for problems...
        Invalid key in stanza [tcpout:splunkcloud] in /opt/splunkforwarder/etc/apps/100_splunkcloud/default/outputs.conf, line 16: cipherSuite  ( REMOVED).
        Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
    Done
    Checking default conf files for edits...
    Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-6.4.1-debde650d26e-linux-2.6-x86_64-manifest'
    All installed files intact.
    Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
Bad Option -a
Usage: splunkd [OPTION...]
  --nodaemon      causes the system not to daemonize
  -c STRING       override the config path
  -h              no longer supported
  -i              no longer supported
  -n STRING       the component name to start with
  -p INT          the management port Splunkd will listen on
  --debug         start with debug log config

Help options:
  -?, --help      Show this help message
  --usage         Display brief usage message

splunkd.log 

05-03-2019 05:51:16.268 +0000 ERROR TailReader - File will not be read, seekptr checksum did not match (file=/home/jenkins/consolidation.log).  Last time we saw this initcrc, filename was different.  You may wish to use larger initCrcLen for this sourcetype, or a CRC salt on this source.  Consult the documentation or file a support case online at http://www.splunk.com/page/submit_issue for more info.

Many thanks,

0 Karma
Reply

codebuilder
SplunkTrust
SplunkTrust
‎05-03-2019 06:56 AM

It appears you have two issues going on here.
First, it is not necessary to pass in "auth" to restart splunk, and is actually invalid as you can see from your output.

Next, you have a syntax error in your outputs.conf that you should check using btool.

splunk btool check --debug

If you still have problems with that file after correcting those issues I would suggest you also add crcSalt to your inputs.conf for the directory you are monitoring.

crcSalt = <SOURCE>
----
An upvote would be appreciated and Accept Solution if it helps!
Reply
Get Updates on the Splunk Community!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...