Monitoring Splunk

.zip, .gz , .tar files are not getting indexed in splunk


I have a server where logs are generated on daily basis in this format-

/ABC/DEF/XYZ/      /ABC/DEF/XYZ/            /ABC/DEF/XYZ/


/ABC/DEF/RST/rst17012022.gz      /ABC/DEF/RST/rst16012022.gz               /ABC/DEF/RST/rst15012022.gz


I am getting this error , every time when i am indexing the .gz, .tar or .zip  file - "updated less than 10000ms ago, will not read it until it stops changing ; has stopped changing , will read it now."

This problem was earlier addressed in this post,

As suggested I have used " crcSalt = <SOURCE> " but I am still facing similar errors.  


index= log_critical
disabled = false
sourcetype= Critical_XYZ
ignoreOlderThan = 2d
crcSalt = <SOURCE>


Labels (1)
Tags (1)
0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!


Or Learn More in Our Blog >>