Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk not indexing the entire file.

khhenderson
Path Finder
‎11-09-2012 06:54 AM

I have a new 5.0 splunk server that is the indexer and search head.
I have one forwarder sending logs.
All is working well but!
One directory of log files. Splunk is only reading the first line of the files in this directory.
The splunkd.log

11-09-2012 08:33:43.250 -0600 INFO WatchedFile - Checksum for seekptr didn't match, will re-read entire file='/opt/jrun4/logs/server-2-event.log'.

11-09-2012 08:33:43.250 -0600 INFO WatchedFile - Will begin reading at offset=0 for file='/opt/jrun4/logs/server-2-event.log'.

Here is what is in my inputs.conf

[monitor:///opt/jrun4/logs]

crcSalt = <SOURCE>

disabled = false

I just recently add the crcSalt = <SOURCE> and restarted the forwarder. I'm still not getting the entire file indexed.

NOTE: I do have the word "SOURCE" between the greater than and less than symbols. It just didn't show up when typeing this question.

Please help.

0 Karma
Reply

Lucas_K
Motivator
‎11-11-2012 02:10 PM

Double check and see that your events are not being timestamped incorrectly and they are not appearing elsewhere in your index.

Does it still show only one event if you directly reference the source file over all time? ie. index=blah source=/opt/jrun4/logs/server-2-event.log

Reply
Get Updates on the Splunk Community!

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...