Getting Data In

Sometimes get a TailReader ERROR on monitoring a file. Why?


I have a Windows 2008 R2 server with a Splunk UF v6.6.7 installed.

We are monitoring many files on this server. Occasionally our data looks weird, and we come to find out a file wasn't indexed as we'd expect. Today a file wasn't indexed properly, so I looked at the logs, sure enough there is a TailReader ERROR. I'm sure restarting the Splunk UF will resolve (this is how we've fixed it before), but I'd REALLY love to know why this is happening, and prevent it.

Scrubbed btool of the inputs.conf stanza:

_rcvbuf = 1572864
crcSalt = <SOURCE>
disabled = false
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = <my_host>
ignoreOlderThan = 14d
index = <my_index>
sourcetype = <my_sourcetype>
whitelist = <my_filename_prefix>.+\.csv

Scrubbed log from today when file wasn't indexed:

06-13-2018 15:17:22.014 -0400 ERROR TailReader - error from read call from 'D:\Logs\<my_folder>\<my_filename_prefix>_06-13-2018.csv'.

Any help is greatly appreciated! Thank you!

0 Karma


Just shooting from the hip here, but we are talking about Windows. If there is a process actively writing to a file on Windows, it may have a read error due to the nature of how Windows can completely lock a file. Is this happening consistently on that file? I don't know if this would then prevent continued processing of the file, but it could be something to look into.

0 Karma
Get Updates on the Splunk Community!

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...

Introduction to Splunk AI

WATCH NOWHow are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. ...