Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk error message on splunkd.log

OMohi
Path Finder
‎07-13-2015 10:58 AM

I am getting the following error message from inputs directing from splunk forwarder instance to indexer:

13:01:22.582 -0400 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/xfer/XXXlogs/retail_sales_dm_ci_comm.rows'.
07-13-2015 13:01:22.636 -0400 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/xfer/XXX/logs/retail_sales_dm_ci_comm_sql.out.Mon'.
07-13-2015 13:01:25.613 -0400 INFO WatchedFile - Checksum for seekptr didn't match, will re-read entire file='/xfer/XXX/logs/IFM_FACT_wf_edw_mbr_alloc_sum_skey_coid_xref.out'

This is my inputs.conf configuration:

[monitor:///xfer/XXX/logs/*]
index = <index_name>
sourcetype = <sourcetype>
crcSalt = <SOURCE>

I am unable to see latest events as a result.

Please provide feedback on how to overcome this issue.

Thanks,

Mohammed Mohiuddin

Tags (2)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-13-2015 02:35 PM

These are no error messages, they're informational messages telling you that Splunk is re-reading files after they've been replaced with different content.

0 Karma
Reply

prakash007
Builder
‎05-06-2016 12:35 PM

martin,
I do see lot of these messages in splunkd.logs, is splunk re-indexing the data or can i ignore these messages...?

     File too small to check seekcrc, probably truncated.  Will re-read entire file=...filepath
     File too small to check seekcrc, probably truncated.  Will re-read entire file=...filepath
    INFO  WatchedFile - Logfile truncated while open, original pathname file=...filepath. , will begin reading from start.
    INFO  WatchedFile - Logfile truncated while open, original pathname file=...filepath., will begin reading from start.


input.conf on UFs................

 [monitor:///opt/app/ws/server/*/log/server.log]
 sourcetype=log4j
 crcSalt = <source>
 index=testenv
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-08-2016 10:38 AM

It says a watched file was truncated and that Splunk will begin reading that file from the new start.

Most likely reason: Log rotation.

0 Karma
Reply

prakash007
Builder
‎05-08-2016 07:09 PM

These two are different messages on different UFs..

File too small to check seekcrc, probably truncated.  Will re-read entire file=...filepath

INFO  WatchedFile - Logfile truncated while open, original pathname file=...filepath. , will begin reading from start.

For the monitor path in the stanza, the log rotates and gets saved as server.log.05082016 every day @midnight. I don't think splunk reads that rolled over file as we didn't mention the path in the monitor stanza, isn't it so...?

[monitor:///opt/app/ws/server/*/log/server.log]

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-10-2016 01:30 PM

If you tell Splunk to read server.log, Splunk's not going to read server.log.05082016.

You should tell Splunk to read that though, in case an event was written and rotated out before Splunk caught it.

0 Karma
Reply

prakash007
Builder
‎05-12-2016 11:34 AM

If i tell splunk to read both server.log in monitor stanza([monitor:///opt/app/ws/server/*/log/server.log])
and also archived/backed up server.log.05082016..does this lead to double indexing of the events..?

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...