Hi All, i am not able to see the logs in Splunk from one source and one host
Usecase: i have 2 host, host a and host b , source=/app/opt/source/logs/sample.log, i can see the data in host a but i cannot see the data in host b
below is the inputs used:
[monitor:///app/opt/source/logs/sample.log]
sourcetype=app:sample:log
disabled=0
index=xxxx
blacklist= \.(.?:tar |gz)$
Now we're getting somewhere! The file isn't being read because Splunk thinks it already read it under a different name. Add this line (exactly as shown) to the monitor stanza in the inputs.conf file.
crcSalt = <SOURCE>
Do you get Splunk internal logs from both hosts? Have you checked splunkd.log on host b? Are the file permissions the same on both hosts?
yes, i checked i am receiving internal logs from both the hosts and getting logs from splunkd.log from both the hosts, file permission is same for both the hots.
Getting internal logs from both hosts means connectivity from both is working.
When you checked splunkd.log did you see any messages related to sample.log?
How are you searching for the data from host b?
When you checked splunkd.log did you see any messages related to sample.log?
when i checked with the below query:
index=_internal host=xxxx "app:sample:log"
i am getting logs for host a, but i am not getting any logs for host b
How are you searching for the data from host b?
index=xxxx host=host b source=/app/opt/source/logs/sample.log sourcetype=app:sample:log
Problems reading an input will be logged with the input file name rather than the sourcetype. Try this query
index=_internal host=hostb sourcetype=splunkd "sample.log"
i tried the query:
index=_internal host=hostb sourcetype=splunkd "sample.log"
i am getting error messsages for host b like:
ERROR TailReader - File will not be read, seekptr checksum did not match (file=app/opt/source/logs/sample.log) last time we saw this initctc, filename was different. You may wish to use larger intiCrcLen for this sourcetype, or a CRC salt on this source. Consult the documentation or file a support case online.....
Now we're getting somewhere! The file isn't being read because Splunk thinks it already read it under a different name. Add this line (exactly as shown) to the monitor stanza in the inputs.conf file.
crcSalt = <SOURCE>
@richgalloway , thank you so much for helping me to identifying the issue and resolving it.
Now i can see logs from 2 hosts.