Getting Data In

can't find the file (source)

ypfbkg
Explorer

i set a input (directory) and i use command "splunk list monitor"
splunk list monitor command result:
\\aaasvr\iis-pic\PM\PMLog
\\aaasvr\iis-pic\PM\PMLog\PMLog.txt
\\aaasvr\iis-pic\PM\PMLog\PMLog.txt20111126
\\aaasvr\iis-pic\PM\PMLog\PMLog.txt20111128
\\aaasvr\iis-pic\PM\PMLog\PMLog20111128.txt

but in my source data, only one file (\\aaasvr\iis-pic\PM\PMLog\PMLog.txt) be detected.

why jsut one file be detected ? hwo can i do ? anyone can help me.

this is my splunk source & command result
Link

Thanks.
Finley

0 Karma
1 Solution

Takajian
Builder

How those file are created? Did you just copy them from original one? Are those file header is same? If yes, it could be problem for splunk to index data.
Because splunk monitoring processor picks up new files and reads the first and last 256 bytes of the file, then
the data is hashed into a begin and end cyclic redundancy check (CRC).
Splunk checks new CRCs against a database that contains all the CRCs of files Splunk has seen before.
If those file header is same, CRC will be same , so Splunk can not detect them as new file.

To avoid this issue, you can use following parameter in inputs.conf.

--------------------------------------------------------------------------------------------------------
crcSalt =
* Use this setting to force Splunk to consume files that have matching CRCs (cyclic redundancy checks). (Splunk only
performs CRC checks against the first few lines of a file. This behavior prevents Splunk from indexing the same
file twice, even though you may have renamed it -- as, for example, with rolling log files. However, because the
CRC is based on only the first few lines of the file, it is possible for legitimately different files to have
matching CRCs, particularly if they have identical headers.)
* If set, is added to the CRC.
* If set to the literal string (including the angle brackets), the full directory path to the source file
is added to the CRC. This ensures that each file being monitored has a unique CRC. When crcSalt is invoked,
it is usually set to .
* Be cautious about using this attribute with rolling log files; it could lead to the log file being re-indexed
after it has rolled.
* Defaults to empty.


View solution in original post

0 Karma

Takajian
Builder

How those file are created? Did you just copy them from original one? Are those file header is same? If yes, it could be problem for splunk to index data.
Because splunk monitoring processor picks up new files and reads the first and last 256 bytes of the file, then
the data is hashed into a begin and end cyclic redundancy check (CRC).
Splunk checks new CRCs against a database that contains all the CRCs of files Splunk has seen before.
If those file header is same, CRC will be same , so Splunk can not detect them as new file.

To avoid this issue, you can use following parameter in inputs.conf.

--------------------------------------------------------------------------------------------------------
crcSalt =
* Use this setting to force Splunk to consume files that have matching CRCs (cyclic redundancy checks). (Splunk only
performs CRC checks against the first few lines of a file. This behavior prevents Splunk from indexing the same
file twice, even though you may have renamed it -- as, for example, with rolling log files. However, because the
CRC is based on only the first few lines of the file, it is possible for legitimately different files to have
matching CRCs, particularly if they have identical headers.)
* If set, is added to the CRC.
* If set to the literal string (including the angle brackets), the full directory path to the source file
is added to the CRC. This ensures that each file being monitored has a unique CRC. When crcSalt is invoked,
it is usually set to .
* Be cautious about using this attribute with rolling log files; it could lead to the log file being re-indexed
after it has rolled.
* Defaults to empty.


0 Karma

ypfbkg
Explorer

Takajian Thanks ^^

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...