Why a tiny file doesn't get indexed? - Splunk Community

Getting Data In

We see the message INFO WatchedFile - Will begin reading at offset=313 for file xxxx and the input file is exactly 313 characters and it was not indexed so far. We added crcSalt = <SOURCE> and it didn't help.

How can we do to get this file to be indexed?

what does ./splunk list inputstatus say for this input?

Sounds like we knew about the file and have the seekptr in the fishbucket. Maybe try and zap the fishbucket?

http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/CommandlinetoolsforusewithSupport...

./splunk cmd btprobe -d  /opt/splunkforwarder/var/lib/splunk/fishbucket/splunk_private_db  --file /var/log/messages --reset

Are you sure we haven't indexed it? Have you searched all time?

- MattyMo

Perfect. I searched all time...

I ran the command and got back -

Using logging configuration at /opt/splunk/splunkforwarder/etc/log-cmdline.cfg.
key=0xc70a454221239041 scrc=0xefd9b0699540a4c0 sptr=314 fcrc=0xd2febf0eb34e3560 flen=0 mdtm=1501003479 wrtm=1501043870

What does it mean?

Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious! We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community, What’s the best part of hearing how our customers use Splunk? Easy: the positive ...