Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk doesn't index new created logfile.

chrisitanmoleck
Path Finder
‎03-21-2014 12:24 AM

Hello,

I observe a ftp logfile. The server creates one logfile for one day.
At midnight there will be a new file created. But this is not readable for the forwarder.
If I restart the forwarder, everything is fine, and will be forwarded.

Example:

20th March 11PM: Logfile is forwarding to the indexer
21th March 01AM: No forwarding
21th March 08AM: Forwarder restart
21th March 08AM: Logfile is forwarding to the indexer

The splunkd logfile has three entries:

03-21-2014 00:01:19.664 +0100 WARN FileClassifierManager - The file 'path_to_logfile' is invalid. Reason: binary
03-21-2014 00:01:19.664 +0100 INFO TailingProcessor - Ignoring file 'path_to_logfile' due to: binary
03-21-2014 04:31:09.931 +0100 ERROR TailingProcessor - Ignoring path="path_to_logfile" due to: Bug: tried to check/configure STData processing but have no pending metadata.

inputs.conf

[monitor://path_to_logfile]
disabled = false
sourcetype = FTPLOG
crcSalt = <SOURCE>
Charset = Auto

props.conf

[monitor://path_to_logfile]
NO_BINARY_CHECK = true

Could you help me?
Christian

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎03-21-2014 01:43 AM

Hi chrisitanmolecki,

Splunk checks the first bits of your file, could there be an invisible control character at the start of your file? That happened to me one time...
Just edited the file with an hex editor and check if there are some strange characters like xA0

hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎03-21-2014 01:43 AM

Hi chrisitanmolecki,

Splunk checks the first bits of your file, could there be an invisible control character at the start of your file? That happened to me one time...
Just edited the file with an hex editor and check if there are some strange characters like xA0

hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

chrisitanmoleck
Path Finder
‎03-24-2014 12:09 AM

It works. Thank you MuS and kristian.kolb!!!

0 Karma
Reply
Solved! Jump to solution

chrisitanmoleck
Path Finder
‎03-21-2014 03:38 AM

I changed the configs.

First results on monday morning.

Nice Weekend
Christian

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎03-21-2014 03:10 AM

Also (but maybe it's just a typo) you have a props.conf stanza that says [monitor://path_to_log], when it should say [FTPLOG] (i.e. just the sourcetype). The [monitor]-stanzas are for inputs.conf only.

Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎03-21-2014 01:55 AM

Just saw that your Charset is A in inputs.conf instead of props.conf and B is wrong. It should be charset not Charset. See docs about binary file error http://docs.splunk.com/Documentation/Splunk/6.0.2/Troubleshooting/Binaryfileerror

Reply
Solved! Jump to solution

chrisitanmoleck
Path Finder
‎03-21-2014 01:47 AM

The logfile starts with:

#Software: Microsoft Internet Information Services 6.0

in a hex-editor shows like:

2353 6F66 7477....

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...