- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Why is Splunk unable to index logs with very s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is Splunk unable to index logs with very small sizes [in KB] but is able to parse other files from that directory?
Hi,
I have to monitor all files inside one directory. But the tiny sized files are not getting into Splunk while all other files are duly getting indexed. i used CRCSalt parameters and Below is my config settings for inputs file.
[monitor://L:\XYZ.2.0\XYZlogs\*]
disabled = false
index = app_XYZ
sourcetype = _json
crcSalt = Source in greater than and less than sign
initCrcLength = 256
Please tell us what am I missing out on.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you ever resolve your problem? I am experiencing the same issue with very small files ( < 2KB ) that Splunk forwarder is missing/skipping. Sometimes, I can delete and re-create the log file and Splunk will pick it up but sometimes nothing will trigger the forwarder to send the file to the indexers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DId you ever resolve this issue? I am experiencing issues where Splunk forwarder sometimes misses very small ~2KB files.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have the setting wrong. Use this exactly (do NOT change anything at all):
crcSalt=<SOURCE>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes its indeed the same settings.
crcSalt=SOURCE with angular brackets
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you LITERALLY have this:
crcSalt=<SOURCE>
Or have you substituted the word SOURCE for something else like this:
crcSalt=</your/path/file>
YOU MUST NOT DO THE LATTER! YOU MUST DO THE FORMER!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes i have done the former setting only.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then it should work. Deploy to forwarders and restart splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are the files smaller than the 256 bytes?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
File size is like 1-5KBs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also i just discovered that few of the data is going into "lastchanceindex". Why is that the case.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
make sure the path is correct, try giving complete file name.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes path is accurate given other large files are duly getting indexed in splunk.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
