Splunk is unable to monitor a local file - and a search query is not returning any values - No events is indexed, How to troubleshoot this?
Search: sourcetype="online_error_test1" >>> No results for any time.
[monitor:///home/splunk/error_delta.log]
disabled = false
followTail = 0
sourcetype = online_error_test1
[online_error_test1]
TIME_FORMAT = %a %b %e %Y %k:%M:%S,%3 %Z
One thing to do is troubleshoot the input using amrit's excellent script:
First, check splunkd.log for messages from the WatchedFile and TailingProcessor components looking for anything related to error_delta.log. Hopefully this tells you what is happening, but it might not tell you anything at all. If this solves the problem, great! If not, then
Second,From $SPLUNK_HOME/bin you can run 'splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus > output.txt
'
look at output.txt for the error_delta.log, if it read the file, it'll tell you how far into the file we read and the size at the time of reading. If it ignored the file it'll say why we ignored it.
If it says we read the file and it isn't showing up, try searching in a very non specific way for something in particular which you'd expected to see but didn't, with a search like this:
'index=* <uniquedata>'
over all-time via the search app. It's possible the timestamp is being misinterpreted or the metadata isn't matching for some reason.
That means we didn't read the file because there is another file that has the same crc. This indicates the first 256 bytes of the file are the same as another file already read. In this input stanza you can put in this option to force splunk to include the source name as well as the crc:
crcSalt =
One thing to do is troubleshoot the input using amrit's excellent script:
I have added crcSalt=
where do you have added this "crcSalt" ?
could you please give me more details about this case?
thanks in advance
what does this mean?
Using this script is showing exactly the same:
ignored file (crc conflict, needs crcSalt)