Hi Splunk Experts,
I have configured a monitoring path in my Splunk Enterprise environment with the help of Splunk Universal Forwarder. From last 2 days I have facing an issue that particularly a one log file was not indexing in my Splunk environment whether my rest of logs files are same as like that log file, the pattern, naming convention,type everything is same.
I thought there is a problem in the indexing phase or the problem in the inputs.conf. Many of you will tell me that add crcSalt in the inputs.conf but I already added it because I phase this kind of issue previously.
But this time my issue is in my Splunk Universal Forwarder. When I have checked my Universal forwarder splunkd.log file then I can get the error log why the log file was not getting indexed in my splunk environment.
The error log is :
(Date and time) WARN TailReader - Access error while handling path: failed to open for checksum: My monitoring Log Path
(Date and time) INFO TailReader - File descriptor cache is full (100), trimming...
(Date and time) INFO TailReader - File descriptor cache is full (100), trimming...
(Date and time) ERROR TcpOutputFd - Read error. An established connection was aborted by the software in your host machine.
(Date and time) INFO TcpOutputProc - Connection to xx.xxx.xx.xx:9997 closed. Read error. An established connection was aborted by the software in your host machine.
I don't know how to fixed this issue and the important part is, this same configuration has done on a long time ago means at least near by 2 months and it's working properly then I don't know what happened in my Universal Forwarder server that it's showing me this issue.
Please help me on this matter and if you have sufficient Splunk document then please attach the url also and my Universal Forwarder and Splunk Enterprise environment both are in Windows OS.
Thanks,
@saibal6
