Getting Data In

What is crc_Salt = means and in which case its used?

PoonamMaurya
New Member

What is crc_Salt = means and in which case its used?
Please provide some scenarios where it will be used.

0 Karma

wryanthomas
Contributor

I am confused about this too. I see people posting about using "crcSalt =" ... but based on the docs, that would seem to be specifying a null value for the salt ... which is what the default is. So, what is it that "crcSalt =" is supposed to accomplish? I.e., if you are using "crcSalt =" and it is working for you, exactly what is it doing for you that omitting "crcSalt =" (leaving it to default value) doesn't do for you?

One of the reasons I'm curious is that we've noticed that a crcSalt value of SOURCE (text editor won't let me add the angle brackets) can consume substantially more compute resources such that, for high volume sources, it can significantly delay forwarding of events. So we're exploring ways to use crcSalt in ways that are less compute-intensive. I was wondering if "crcSalt =" is such a way... but I'm not seeing how it does anything other than make explicit the default NULL value.

0 Karma

niketn
Legend

@PoonamMaurya please provide some more context as to why you are thinking about crcSalt. If your use case is to to monitor several files being written at the same path with similar header you should be thinking about crcSalt. Do refer to the following post for a decision between crcSalt and initCrcLen

https://answers.splunk.com/answers/551006/how-to-avoid-reindexing-files-after-setting-crcsal.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

whrg
Motivator

Check out the well-written documentation on inputs.conf regarding crcSalt:

crcSalt = <string>
* Use this setting to force the input to consume files that have matching CRCs
  (cyclic redundancy checks).
    * By default, the input only performs CRC checks against the first 256
      bytes of a file. This behavior prevents the input from indexing the same
      file twice, even though you might have renamed it, as with rolling log
      files, for example. Because the CRC is based on only the first
      few lines of the file, it is possible for legitimately different files
      to have matching CRCs, particularly if they have identical headers.
* If set, <string> is added to the CRC.
* If set to the literal string "<SOURCE>" (including the angle brackets), the
  full directory path to the source file is added to the CRC. This ensures
  that each file being monitored has a unique CRC. When crcSalt is invoked,
  it is usually set to <SOURCE>.
* Be cautious about using this setting with rolling log files; it could lead
  to the log file being re-indexed after it has rolled.
* In many situations, initCrcLength can be used to achieve the same goals.
* Default: empty string.

Sometimes I want to index log files which are identical. Splunk does not index identical log files due to log rotation. However, if you want to force Splunk to index identical log files, then set:

crcSalt = <SOURCE>
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...