Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk not reading the new file created after 2 months

ankithnageshshe
Path Finder
‎06-28-2018 02:37 PM

Hello Splunkers,

I have a situation where in a log file is created by the application after a long duration of 2 months.

I found no error in splunkd log for this specific file. Neither I found "WatchedFile" event for this file.
I'm sure that the issue is not due to initcrclen or crcSALT as the log file is new and splunkd log does not have any information on this.

After restarting the agent I finally get the following splunkd log info

06-28-2018 15:20:24.560 -0400 INFO WatchedFile - Checksum for seekptr didn't match, will re-read entire file='XXX.log'

However the old data is still not indexed and I do not have new data flowing in to the log file.

Can some one explain this situation.

Regards,
Ankith

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎06-29-2018 09:07 PM

You need to adjust MAX_DAYS_AGO to cover your span, clear the fishbucket, and then restart the UF.

0 Karma
Reply

ankithnageshshe
Path Finder
‎07-03-2018 06:44 AM

Hello Woodcock,

Thanks for the reply.
I figured out that the issue is not due to the "ignoreolderthan" attribute as the issue appeared again.

It happened that splunk even skipped to watch one of the newly created file ( logs rotated every hour) without any error on the log file.

There is no configuration issue/ permission issue /port /network issue as other log file on the same path is read by the splunk. Also since rotation is 1 hour , ignoreolderthan attribute will not come in to picture.

0 Karma
Reply

somesoni2
Revered Legend
‎06-29-2018 08:01 AM

Yes, with ignoreOlderThan, once a file is ignored from monitoring, it will stay ignored (won't be monitored) even if it gets some new data. When you restart Splunk, it re-evaluates the monitoring that needs to be done and will pick that file if it still newer than the ignoreOlderThan setting.

Reply

ankithnageshshe
Path Finder
‎06-29-2018 09:02 AM

Hi Somesoni2,

Thanks for the clarification. I'm trying to understand why splunk has not indexed the data even after the restart.
Situation: April 8th last log flow (after this file is rotated)
June 26th new log flow
Splunk doesnt perform watchedfile on this file.
After restart splunk performs watchedfile on this from the beginning of the file but the earlier data is not indexed.

0 Karma
Reply

somesoni2
Revered Legend
‎06-29-2018 09:25 AM

Are you monitoring the rolled log files? (check the [monitor:// in your inputs.conf). If you're not, those files will not be monitored/indexed.

0 Karma
Reply

adonio
Ultra Champion
‎06-28-2018 04:49 PM

can you share the inputs.conf?
do you have: ignoreOlderThan attribute there?

Reply

ankithnageshshe
Path Finder
‎06-29-2018 06:35 AM

Hello Adonio,

Thanks for your reply. Yes I have a parameter ignoreOlderThan= 14 days.
Is this the cause?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...