Why a tiny file doesn't get indexed? - Splunk Community

Getting Data In

We see the message INFO WatchedFile - Will begin reading at offset=313 for file xxxx and the input file is exactly 313 characters and it was not indexed so far. We added crcSalt = <SOURCE> and it didn't help.

How can we do to get this file to be indexed?

what does ./splunk list inputstatus say for this input?

Sounds like we knew about the file and have the seekptr in the fishbucket. Maybe try and zap the fishbucket?

http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/CommandlinetoolsforusewithSupport...

./splunk cmd btprobe -d  /opt/splunkforwarder/var/lib/splunk/fishbucket/splunk_private_db  --file /var/log/messages --reset

Are you sure we haven't indexed it? Have you searched all time?

- MattyMo

Perfect. I searched all time...

I ran the command and got back -

Using logging configuration at /opt/splunk/splunkforwarder/etc/log-cmdline.cfg.
key=0xc70a454221239041 scrc=0xefd9b0699540a4c0 sptr=314 fcrc=0xd2febf0eb34e3560 flen=0 mdtm=1501003479 wrtm=1501043870

What does it mean?

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious! We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...