Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why is Splunk unable to index logs with very small sizes [in KB] but is able to parse other files from that directory?

juhisaxena28
Explorer
‎03-29-2019 10:53 AM

Hi,

I have to monitor all files inside one directory. But the tiny sized files are not getting into Splunk while all other files are duly getting indexed. i used CRCSalt parameters and Below is my config settings for inputs file.

[monitor://L:\XYZ.2.0\XYZlogs\*]
disabled = false
index = app_XYZ
sourcetype = _json
crcSalt = Source in greater than and less than sign
initCrcLength = 256

Please tell us what am I missing out on.

Thanks

0 Karma
Reply

awheatcr
New Member
‎08-18-2019 09:48 AM

Did you ever resolve your problem? I am experiencing the same issue with very small files ( < 2KB ) that Splunk forwarder is missing/skipping. Sometimes, I can delete and re-create the log file and Splunk will pick it up but sometimes nothing will trigger the forwarder to send the file to the indexers.

0 Karma
Reply

awheatcr
New Member
‎08-18-2019 09:45 AM

DId you ever resolve this issue? I am experiencing issues where Splunk forwarder sometimes misses very small ~2KB files.

0 Karma
Reply

woodcock
Esteemed Legend
‎03-31-2019 12:55 AM

You have the setting wrong. Use this exactly (do NOT change anything at all):

crcSalt=<SOURCE>
0 Karma
Reply

juhisaxena28
Explorer
‎03-31-2019 04:55 AM

Yes its indeed the same settings.

crcSalt=SOURCE with angular brackets

0 Karma
Reply

woodcock
Esteemed Legend
‎03-31-2019 06:14 PM

Do you LITERALLY have this:

crcSalt=<SOURCE>

Or have you substituted the word SOURCE for something else like this:

crcSalt=</your/path/file>

YOU MUST NOT DO THE LATTER! YOU MUST DO THE FORMER!

Reply

juhisaxena28
Explorer
‎03-31-2019 11:18 PM

Yes i have done the former setting only.

0 Karma
Reply

woodcock
Esteemed Legend
‎03-31-2019 11:31 PM

Then it should work. Deploy to forwarders and restart splunk.

0 Karma
Reply

isachse
Explorer
‎03-29-2019 11:40 AM

Are the files smaller than the 256 bytes?

Reply

juhisaxena28
Explorer
‎03-29-2019 09:48 PM

File size is like 1-5KBs.

0 Karma
Reply

juhisaxena28
Explorer
‎03-29-2019 10:10 PM

Also i just discovered that few of the data is going into "lastchanceindex". Why is that the case.

0 Karma
Reply

Vijeta
Influencer
‎03-29-2019 11:28 AM

make sure the path is correct, try giving complete file name.

0 Karma
Reply

juhisaxena28
Explorer
‎03-29-2019 09:49 PM

Yes path is accurate given other large files are duly getting indexed in splunk.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...