Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk does not continously indexing the file.

harshal_chakran
Builder
‎11-18-2013 05:21 AM

HI,

I have a requirement in which, a file is continuously dumped with data. Even though I have selected continuously monitored option, the data from the file does not get indexed after few changes down the timeline in the file. The file size is hardly 2-3 MB.

Please Help...!!!

Tags (3)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎11-20-2013 11:52 PM

You could always look for any errors or warnings in the splunkd.log (available through the following search index=_internal sourcetype=splunkd and you can also query the REST endpoint on the splunk instance where the file is being read (indexer or forwarder);

https://splunk_host:8089/services/admin/inputstatus/TailingProcessor:FileStatus

You will need to autenticate with the proper splunk username and password.

Scrolling down the list of files you shall find the file you're looking for, and hopefully see some indication of the error.

If it says '100% read', a/o 'finished' - it means that the file was successfully read. Perhaps your timestamps are parsed incorrectly, and that could be the reason why they are not returned in the search.

As I already said, provide more info - e.g. some sample data and the relevant sections of the config files.

/K

0 Karma
Reply

harshal_chakran
Builder
‎11-21-2013 12:38 AM

I am getting the following error message in Splunkd.log file:

1-21-2013 14:02:49.515 +0530 ERROR TailingProcessor - File will not be read, is too small to match seekptr checksum (file=C:\Users\10603218\Desktop\testing.txt). Last time we saw this initcrc, filename was different. You may wish to use a CRC salt on this source

At start, the file is empty and after few minutes the data starts getting dumped into the file.

0 Karma
Reply

harshal_chakran
Builder
‎11-19-2013 01:30 AM

I have a text file at a specific location, which is dumped with data through a telecom tool automatically. If I manually copy the data in the text file, Splunk keeps on indexing it. But the same data when it is put in the text file through the automated tool, the file doesn't get indexed and on some tries it got indexed about one-fourth of actual file.

Can you please help me with this issue.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎11-18-2013 06:18 AM

I think you need to provide more details, e.g. your config files, some sample events, any error messages in the splunkd.log etc.

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...