Why a tiny file doesn't get indexed? - Splunk Community

Getting Data In

We see the message INFO WatchedFile - Will begin reading at offset=313 for file xxxx and the input file is exactly 313 characters and it was not indexed so far. We added crcSalt = <SOURCE> and it didn't help.

How can we do to get this file to be indexed?

what does ./splunk list inputstatus say for this input?

Sounds like we knew about the file and have the seekptr in the fishbucket. Maybe try and zap the fishbucket?

http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/CommandlinetoolsforusewithSupport...

./splunk cmd btprobe -d  /opt/splunkforwarder/var/lib/splunk/fishbucket/splunk_private_db  --file /var/log/messages --reset

Are you sure we haven't indexed it? Have you searched all time?

- MattyMo

Perfect. I searched all time...

I ran the command and got back -

Using logging configuration at /opt/splunk/splunkforwarder/etc/log-cmdline.cfg.
key=0xc70a454221239041 scrc=0xefd9b0699540a4c0 sptr=314 fcrc=0xd2febf0eb34e3560 flen=0 mdtm=1501003479 wrtm=1501043870

What does it mean?

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Thursday, July 9, 2026 | 11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...