Solved: Problem indexing .sdf logs

splunkIT · ‎10-23-2012

Our enviroment consist of splunk light forwarder > intermediate forwarder > indexer.

I'm trying to index the .sdf logs. Our reporting software exports performance (.pdf) log every hour, and we have a script that moves file to correct folder.

This destination folder is monitored by splunk light forwarder (which forwards to the intermediate forwarder, then to the indexer), and each monitored folder has own source and sourcetype.

[monitor://C:\PLET\Splunk\192.9-Kemira-SAP_SAN_2-FC-8G-PUS\*.sdf]
disabled=0
index=dwdm
source=Kemira-SAP_SAN_2-FC-8G-PUS
sourcetype=dwdm-perf
crcSalt = <SOURCE>

However, only some performance logs are coming to indexer. On indexer, I can mostly see three first rows of each file, but other data is left out. I'm suspecting that the reason for this behaviour is that each file's three first rows are identical and the light forwarder suspects that the file is already indexed. I have tried to add crcSalt and modified Check_Method property but these doesn't seems to work.

yannK · ‎10-24-2012

The parsing happens on the indexer and any heavy forwarder.
Not on UF or LWF.

I you have to use heavy forwarders, I recommend to have the necessary props/transforms on every indexers and heavy forwarders.

View solution in original post

splunkIT · ‎10-30-2012

Thanks very much, Yann!

yannK · ‎10-24-2012

The parsing happens on the indexer and any heavy forwarder.
Not on UF or LWF.

I you have to use heavy forwarders, I recommend to have the necessary props/transforms on every indexers and heavy forwarders.

cmendiola · ‎10-24-2012

Posting on behalf of splunkIT:

Ayn: I think you may be correct about the timestamp issue. This are some of the DateParserVerbose errors from the intermediate forwarder:

10-22-2012 07:29:53.181 +0300 WARN DateParserVerbose - Time parsed (Mon Oct 22 00:45:00 2012) is too far away from the previous event's time (Mon Oct 22 22:10:12 2012) to be accepted. If this is a correct time, MAX_DIFF_SECS_AGO (3600) or MAX_DIFF_SECS_HENCE (604800) may be overly restrictive.

Why is the timestamp parsing occurring at the intermediate forwarder, and not at the indexer? I have the props.conf stanzas for all these sourcetypes on the indexer. Did I mis-configure something here?

splunkIT · ‎10-24-2012

yannK: these are .sdf files. They are essentially just .csv files.

Ayn · ‎10-24-2012

Could also be a timestamp issue, i.e. logs are coming in but get a different timestamp than what you expect and therefore falls out of the time window you're searching in. Have you looked for events over all time?

yannK · ‎10-23-2012

sdf or pdf ?

Problem indexing .sdf logs

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

How to find the worst searches in your Splunk environment and how to fix them

Join the Conversation