Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Seeing checksum errors when on-boarding data

power12
Communicator
‎05-16-2024 12:49 PM

Hello ,

i have logs in following path
/abc-logs/hosta/mods/stdout.240513-070854
/abc-logs/hostb/mods/stdout.240513-070854
/abc-logs/hostc/mods/stdout.240513-070854
/abc-logs/hostd.a.clusters.abc.com/mods/stdout.240206-084344
/abc-logs/hoste/mods/stdout.240513-070854

when I am trying monitor this path to get logs into splunk .I only get two files

.when checked internal logs i see following errors
05-16-2024 10:07:25.609 -0700 ERROR TailReader [1846912 tailreader0] - File will not be read, is too small to match seekptr checksum (file=/abc-logs/hosta/mods/stdout.240513-070854).  Last time we saw this initcrc, filename was different.  You may wish to use larger initCrcLen for this sourcetype, or a CRC salt on this source.  Consult the documentation or file a support case online at http://www.splunk.com/page/submit_issue for more info.

A possible timestamp match (Fri Feb 13 15:31:30 2009) is outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE. Context: FileClassifier C:\abc-logs\hostd.a.clusters.abc.com\mods\stdout.240206-084344

I am using below props

[ mods ]
BREAK_ONLY_BEFORE_DATE=null
CHARSET=AUTO
CHECK_METHOD=entire_md5
DATETIME_CONFIG=CURRENT
LINE_BREAKER=([\r\n]+)
MAX_DAYS_AGO =2000
MAX_DAYS_HENCE=365
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=false
category=Custom
crcSalt=<SOURCE>
initCrcLength = 1048576



i tried changing the CHECK_METHOD to other options but it did not work 

Thanks in advance 

0 Karma
Reply

power12
Communicator
‎05-17-2024 06:43 PM

anyone faced this issues?

0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...