- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Splunk not reading the new file created after ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk not reading the new file created after 2 months
Hello Splunkers,
I have a situation where in a log file is created by the application after a long duration of 2 months.
I found no error in splunkd log for this specific file. Neither I found "WatchedFile" event for this file.
I'm sure that the issue is not due to initcrclen or crcSALT as the log file is new and splunkd log does not have any information on this.
After restarting the agent I finally get the following splunkd log info
06-28-2018 15:20:24.560 -0400 INFO WatchedFile - Checksum for seekptr didn't match, will re-read entire file='XXX.log'
However the old data is still not indexed and I do not have new data flowing in to the log file.
Can some one explain this situation.
Regards,
Ankith
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to adjust MAX_DAYS_AGO to cover your span, clear the fishbucket, and then restart the UF.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Woodcock,
Thanks for the reply.
I figured out that the issue is not due to the "ignoreolderthan" attribute as the issue appeared again.
It happened that splunk even skipped to watch one of the newly created file ( logs rotated every hour) without any error on the log file.
There is no configuration issue/ permission issue /port /network issue as other log file on the same path is read by the splunk. Also since rotation is 1 hour , ignoreolderthan attribute will not come in to picture.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, with ignoreOlderThan, once a file is ignored from monitoring, it will stay ignored (won't be monitored) even if it gets some new data. When you restart Splunk, it re-evaluates the monitoring that needs to be done and will pick that file if it still newer than the ignoreOlderThan setting.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Somesoni2,
Thanks for the clarification. I'm trying to understand why splunk has not indexed the data even after the restart.
Situation: April 8th last log flow (after this file is rotated)
June 26th new log flow
Splunk doesnt perform watchedfile on this file.
After restart splunk performs watchedfile on this from the beginning of the file but the earlier data is not indexed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you monitoring the rolled log files? (check the [monitor:// in your inputs.conf). If you're not, those files will not be monitored/indexed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you share the inputs.conf?
do you have: ignoreOlderThan attribute there?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Adonio,
Thanks for your reply. Yes I have a parameter ignoreOlderThan= 14 days.
Is this the cause?
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
