crcSalt is actually very rarely the proper option to set. It's often better to raise the initCrcLength to a higher value in case the file has a pretty constant header.

Hello I see. You mean anything like this ?

initCrcLength = <256>

Close. But without the <> part (the <SOURCE> part must be literally put this way if you use this option). And you'd typically want a higher value if you have a constant header.

Something like

initCrcLength = 1024

for example.

One more. I was checking and one of the files has more than  124 000 bytes. What value I should define for initCrcLenght ?   

Hi

Are you sure that you haven't set this?

ignoreOlderThan

 Can you post your inputs.conf for this source, so we can check if there is something else which can cause this behaviour?

r. Ismo

Hello Ismo,

inputs.conf definition looks like this:

[monitor:///home/sicpa_operator/deploy/PROD/machine/monitoring/*production_statistics.csv]
index = sts
disabled = false
sourcetype = STSLOGMPPS
crcSalt = <SOURCE>

by *production_statistics.csv I make sure all the files have to be synced they only contain different dates at the beginning of each file name. Seems I´m able sync only the files by the deployment date. Means files from date when UF been deployed are synced but the everything before not.
BR

Thanks. 

How about outputs of 

splunk list inputstatus

as @PickleRick asked? That command shows what files it has read and how much has managed.

Also you could try 

splunk btool inputs list monitor:///home/sicpa_operator/deploy/PROD/machine/monitoring/ --debug

to see if there is somewhere defined some weird defaults for your inputs. 

Thanks for reply. I´ve tried with the option: 

initCrcLength = 1024

But still not all the files have been synced. There are still more pending.

You can check the status of your inputs with

splunk list monitor

and

splunk list inputstatus

Hello, thanks for reply. 

crcSalt = <SOURCE>

I´ve been adding crcSalt into my stanza but still the not all the files have been synced either.