Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why can't Splunk index some files in a directory?

edrivera3
Builder
‎04-09-2015 08:38 AM

Hi

I am trying to index a file from different subdirectory but Splunk is not indexing some of those files for some weird reason. All subdirectories contain different files but I am just interested in a file with an specific extension (.tir) so I am using a whilelist (.tir$). Splunk indexed almost all files but there are some files that Splunk just didn't index. Do you know a reason why is this happening?

I examined the files and they are normal (Same type data, same type format, and same extension).

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

edrivera3
Builder
‎04-10-2015 08:45 AM

I found a solution to my own problem. I need to add:
crcSalt =
initCrcLength = 2000

View solution in original post

Reply
Solved! Jump to solution
Solution

edrivera3
Builder
‎04-10-2015 08:45 AM

I found a solution to my own problem. I need to add:
crcSalt =
initCrcLength = 2000

Reply
Solved! Jump to solution

nawazns5038
Builder
‎11-13-2018 02:46 PM

What exactly does the setting do ?

0 Karma
Reply
Solved! Jump to solution

bandit
Motivator
‎11-13-2018 06:59 PM

Essentially how many bytes in Splunk will check at the beginning of a file to try to uniquely identify it.

From: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
initCrcLength =
* How much of a file, in bytes, that the input reads before trying to
identify whether it is a file that has already been seen. You might want to
adjust this if you have many files with common headers (comment headers,
long CSV headers, etc) and recurring filenames.
* Cannot be less than 256 or more than 1048576.
* CAUTION: Improper use of this setting will cause data to be re-indexed. You
might want to consult with Splunk Support before adjusting this value - the
default is fine for most installations.
* Default: 256 (bytes).

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎04-09-2015 08:46 AM

Please use below code in monitor stanza

whiltelist = (*.tir)$
recursive = true
0 Karma
Reply
Solved! Jump to solution

edrivera3
Builder
‎04-09-2015 08:53 AM

I am already indexing recursively but Splunk is not indexing for some subdirectories.

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎04-09-2015 09:08 AM

Can you please check on forwarder with below command whether all files with (.tlr) is showing or not in command output?

 $SPLUNK_HOME/bin/splunk list monitor
0 Karma
Reply
Solved! Jump to solution

edrivera3
Builder
‎04-09-2015 09:19 AM

I'm working with Windows OS.

0 Karma
Reply
Solved! Jump to solution

edrivera3
Builder
‎04-09-2015 09:39 AM

I was examining the files and I noticed that there are very similar, almost the same. Is it possible that Splunk believed I am duplicating a file? If so, how could I change it so Splunk would index the file?

0 Karma
Reply
Solved! Jump to solution

edrivera3
Builder
‎04-09-2015 11:28 AM

I didn't solve the problem. I checked the wrong index...

Anyway I tried to use CHECK_METHOD AND crcSalt but they didn't change anything.

0 Karma
Reply
Solved! Jump to solution

edrivera3
Builder
‎04-09-2015 01:27 PM

But I found many errors in index=_internal which is weird because I tried using crcSalt = and the problem wasn't resolve. Looks like I have added these files previously which is wrong because I just created the index.

ERROR TailingProcessor - File will not be read, seekptr checksum did not match (file=C:\blah\blah\30343.tir). Last time we saw this initcrc, filename was different. You may wish to use a CRC salt on this source. Consult the documentation or file a support case online at http://www.splunk.com/page/submit_issue for more info.

0 Karma
Reply
Solved! Jump to solution

edrivera3
Builder
‎04-09-2015 09:23 AM

Well in Splunk>Data Input> Files & Directory appears that there 4835 files which contain the .tir extension and they are supposed to be indexed.

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎04-09-2015 09:22 AM

Then use below command

$SPLUNK_HOME/bin/splunk.exe list monitor

For example: 

C:\Program Files\SplunkUniversalForwarder\bin>splunk.exe list monitor
0 Karma
Reply
Solved! Jump to solution

edrivera3
Builder
‎04-09-2015 08:43 AM

I checked the current size of the index (36MB) and the event count (1,854) which look normal.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
Top