I was trying to load data via my auto index and I was getting a tail reader error because I think Splunk was reading in my file as a duplicate (this was at ~2 pm). Then around 9 pm- the file uploaded fine with all of the data. I checked _internal and the only information I have that contain the source file name are the below messages:
-0400 INFO Metrics - group=per_source_thruput
-0400 INFO LicenseUsage - type=Usage
Does anyone know why file uploaded ~7 hours later and can help me troubleshoot?
Thank you!!
Can you at least share the exact TailReader error you observed initially?
What do the respective inputs.conf settings look like?
And how is that log file created / written to?
The errors I got when I first tried to upload were:
-0400 WARN FileClassifierManager - Unable to open
0400 WARN FileClassifierManager - The file is invalid. Reason: cannot_open
-0400 ERROR TailReader - error from read call
The inputs.conf looks like below:
whitelist = .csv$
disabled = false
index = it_snow_call_kiosk_logs_weekly
sourcetype = itcc:snow
initCrcLength = 640
And I was trying to upload a .csv.
How are you uploading that csv?
Sounds like splunk noticed the new file, but couldn't access it (because your upload process was keeping it fully locked somehow?)? And only later, it was able to access it and as a result still indexed it?
I was just dropping the .csv in the auto index folder- a simple copy and paste into the directory- do you know why a file could be locked? I appreciate your help!