Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunkforwarder fishbucket and salt used to create hashes

govardha
Path Finder
‎05-25-2021 07:50 AM

I have a csv file that I am monitoring with the props.conf for the sourcetype associated with this file with the parameter CHECK_METHOD = modtime set.

This works well, but I occasionally have a scenario where I need to get the fishbucket to "forget" the file being monitored.  I tried the usual procedure using btprobe and reset

$SPLUNK_HOME/bin/splunk cmd btprobe -d $SPLUNK_DB/var/lib/splunk/fishbucket/splunk_private_db/ --file < full path of somefile.csv> --reset

btprobe says it is unable to find the file.  I further went down this rabbit hole and tried to find the hash of the file in question, but once again no luck.

$SPLUNK_HOME/bin/splunk cmd btprobe --compute-crc < full path of somefile.csv>
Using logging configuration at /opt/splunkforwarder/etc/log-cmdline.cfg.
crc=0x5db5b08c29b4b08d decimal=6752497332353544333

I used the crc and tried to grep for it
$SPLUNK_HOME/bin/splunk cmd btprobe -d $SPLUNK_DB/var/lib/splunk/fishbucket/splunk_private_db/ -k ALL | egrep 0x5db5b08c29b4b08d

$SPLUNK_HOME/bin/splunk cmd btprobe --compute-crc < full path of somefile.csv> -salt < full path of somefile.csv>

Using logging configuration at /opt/splunkforwarder/etc/log-cmdline.cfg.
crc=0xa5cb29c8fe9d6ace decimal=11946688379772299982

I used the crc and tried to grep for it
$SPLUNK_HOME/bin/splunk cmd btprobe -d $SPLUNK_DB/var/lib/splunk/fishbucket/splunk_private_db/ -k ALL | egrep 0xa5cb29c8fe9d6ace

I tried this too, I *know* the splunkforwarder is monitoring the file,  as btools & inputslist and monitor etc are all showing the file, what am I missing?  Any help is greatly appreciated.  I am really stumped here.

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-25-2021 07:56 AM
Hi
You could check the status of this file by splunk list inputstatus on UF. https://community.splunk.com/t5/Getting-Data-In/Are-there-any-easier-way-to-check-file-monitoring-st...
0 Karma
Reply

govardha
Path Finder
‎05-25-2021 07:59 AM

Thank you for your response, that was one of the commands I used to confirm the file is indeed being monitored, I just need the fishbucket to "forget" it and re-ingest it and I am trying to get the btprobe reset method which unfortunately doesn't work.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-25-2021 08:02 AM
Have you tried btprobe without trailing / on fishbucket path?
0 Karma
Reply

govardha
Path Finder
‎05-25-2021 08:04 AM

Sure did, when I do -k ALL it lists ALL the stuff that is being monitored. 

When I do ./splunk inputstatus list, I see the file in question being monitored.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-25-2021 08:08 AM
Without last / also when you are doing —reset or only in list. And you are using same user than what you are using when reading those files?
0 Karma
Reply

govardha
Path Finder
‎05-25-2021 08:12 AM

Take your pick, reset/list, I have tried it all.  All the stuff is being done as the user running the UF.

I just get "record not found" when I tried to do "reset"

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...