Getting Data In

Why is only the first log file indexed, not the entire directory of SSRS logs being monitored?

Bliide
Path Finder

I am indexing SSRS logs. The path to the logs is: C:\Program Files\MSRS12.MSSQLSERVER\Reporting Services\LogFiles. The forwarder sends and the indexer receives but it is only indexing the first log file in the directory. For example, we added a new server that has SSRS logs. I put a monitor in inputs.conf for the path to the log files. In that directory it has logs dating from 5/5/2015 - 5/21/2015. I go to our Splunk instance and do a simple search for index=ssrs and it populates data but the most recent date is 5/5/2015. None of the other log files have been indexed. Any suggestions?

1 Solution

acharlieh
Influencer

Are the first 256 bytes of each file the same? (Offhand I think it's 256 bytes for the hashing that the forwarder does) a possibility is that could the forwarder be thinking these are rolls of the same file and therefore not indexing any beyond the first (if this is the problem you would solve this with crcSalt=<SOURCE> in inputs.conf on the forwarder (double check exact syntax here, I'm on my phone)

View solution in original post

acharlieh
Influencer

Are the first 256 bytes of each file the same? (Offhand I think it's 256 bytes for the hashing that the forwarder does) a possibility is that could the forwarder be thinking these are rolls of the same file and therefore not indexing any beyond the first (if this is the problem you would solve this with crcSalt=<SOURCE> in inputs.conf on the forwarder (double check exact syntax here, I'm on my phone)

Bliide
Path Finder

Yes, there is a header at the beginning of each log file that has the same information. I will add it to inputs.conf and give it a shot. Thank you!

Seems to be working fine now. That addition to inputs.conf did the trick. Thank you very much sir!

0 Karma

acharlieh
Influencer

Excellent! (Converted to an answer so it can be marked as accepted)

0 Karma
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...