Re: Logging issues

dj064 · ‎01-22-2025

We are facing a log indexing issue with the log paths mentioned below. Previously, with the same inputs.conf configuration, logs were being ingested without issues, but suddenly, it stopped sending logs. Each log file contains logs for a single day, but splunk reports that it has already read these logs and skips them. Below is the inputs.conf configuration:

[monitor://C:\Ticker\out\]
whitelist = .*_Mcast2Msg\\logs\\.*log$
index = rtd
disabled = false
followTail = 0
ignoreOlderThan = 3d
recursive = true
sourcetype = rtd_mcast
crcSalt = <SOURCE>

source path:

C:\Ticker\out\Equiduct_Mcast2Msg\logs\EquiductTest-01-21-25.log
C:\Ticker\out\Istanbul_Mcast2Msg\logs\Istanbul-01-16-25.log
C:\Ticker\out\JSE_Mcast2Msg\logs\JSE-01-16-25.log
C:\Ticker\out\JSE_Mcast2Msg\logs\JSEtst-01-17-25.log
C:\Ticker\out\Warsaw_Mcast2Msg\logs\Warsaw-01-14-25.log

_internal logs:

01-21-2025 14:48:20.745 +0000 INFO WatchedFile [708 tailreader0] - Will begin reading at offset=105 for file='C:\Ticker\out\Equiduct_Mcast2Msg\logs\Equiduct-Limit-1-01-21-25.log'.
01-21-2025 14:48:13.586 +0000 INFO WatchedFile [708 tailreader0] - Will begin reading at offset=171 for file='C:\Ticker\out\Equiduct_Mcast2Msg\logs\Equiduct-Limit-1-01-20-25.log'.
01-21-2025 14:48:06.332 +0000 INFO WatchedFile [708 tailreader0] - Will begin reading at offset=66 for file='C:\Ticker\out\Istanbul_Mcast2Msg\logs\Istanbul-01-21-25.log'.
01-21-2025 14:47:57.650 +0000 INFO WatchedFile [708 tailreader0] - Will begin reading at offset=66 for file='C:\Ticker\out\Istanbul_Mcast2Msg\logs\Istanbul-01-20-25.log'.
01-21-2025 14:47:51.466 +0000 INFO WatchedFile [708 tailreader0] - Will begin reading at offset=65 for file='C:\Ticker\out\JSE_Mcast2Msg\logs\JSE-01-20-25.log'.
01-21-2025 14:47:45.271 +0000 INFO WatchedFile [708 tailreader0] - Will begin reading at offset=65 for file='C:\Ticker\out\JSE_Mcast2Msg\logs\JSE-01-21-25.log'.
01-21-2025 14:47:39.644 +0000 INFO WatchedFile [708 tailreader0] - Will begin reading at offset=114 for file='C:\Ticker\out\Warsaw_Mcast2Msg\logs\Warsaw-01-21-25.log'.
01-21-2025 14:47:35.855 +0000 INFO WatchedFile [708 tailreader0] - Will begin reading at offset=114 for file='C:\Ticker\out\Warsaw_Mcast2Msg\logs\Warsaw-01-20-25.log'.
01-21-2025 14:47:35.660 +0000 INFO TailingProcessor [6536 MainTailingThread] - Adding watch on path: C:\Ticker\out.
01-21-2025 14:47:35.659 +0000 INFO TailingProcessor [6536 MainTailingThread] - Parsing configuration stanza: monitor://C:\Ticker\out\.

Issue Details:

1) When we update the very first line of a log file, only the updated first line is ingested by Splunk, and the rest of the content is skipped.
2) We have deleted the fishbucket, but the issue persists.
3) Even after reinstalling the Splunk forwarder (version 8.2.12), the problem continues.

SanjayReddy · ‎01-22-2025

Hi @dj064

My suggestion would be not use crcSalt setting for log rotation files. Can you please disable it and restart splunk to check status. also if you can share some log files with maksing imp data

crcSalt = <SOURCE>

PickleRick · ‎01-22-2025

Yes. crcSalt is rarely the way to go. The solution is usually to raise the initCrcLength value so that if you have a constant "header" in your file it's getting skipped.

As for your original question - there can be several different reasons for it. Try checking output of

splunk list monitor

and

splunk list inputstatus

regarding those problematic files

Logging issues

administration

configuration

troubleshooting

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation