Why a tiny file doesn't get indexed? - Splunk Community

Getting Data In

We see the message INFO WatchedFile - Will begin reading at offset=313 for file xxxx and the input file is exactly 313 characters and it was not indexed so far. We added crcSalt = <SOURCE> and it didn't help.

How can we do to get this file to be indexed?

what does ./splunk list inputstatus say for this input?

Sounds like we knew about the file and have the seekptr in the fishbucket. Maybe try and zap the fishbucket?

http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/CommandlinetoolsforusewithSupport...

./splunk cmd btprobe -d  /opt/splunkforwarder/var/lib/splunk/fishbucket/splunk_private_db  --file /var/log/messages --reset

Are you sure we haven't indexed it? Have you searched all time?

- MattyMo

Perfect. I searched all time...

I ran the command and got back -

Using logging configuration at /opt/splunk/splunkforwarder/etc/log-cmdline.cfg.
key=0xc70a454221239041 scrc=0xefd9b0699540a4c0 sptr=314 fcrc=0xd2febf0eb34e3560 flen=0 mdtm=1501003479 wrtm=1501043870

What does it mean?

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...