Splunk Enterprise

Why is my _thefishbucket always empty?

ademargomes
Explorer

Hi All,

This is my first post in here. I have installed Splunk Light a few weeks ago and have been using it for reporting on various applications logs.

Today I deployed a few scripts that copy log files to my splunk server which is monitoring the folder and reading the logs.

Now, if a file is copied twice (or more) to the folder, Splunk Light reindexes it and duplicates the data.

I read about it and notice my _thefishbucket was empty no matter what. So i decided that it was because is was the Light version and uninstalled it and reinstalled Splunk but now the Enterprise version.

Still my _thefishbucket index still empty (0 events).

I dont know what to do to turn on the cyclic redundancy checks and it is killing the proposition of using Splunk for logs reporting.

So my questions are: how do I switch it on? and shouldn't it work by default?

Thanks in advance for your help,

Ademar

1 Solution

jkat54
SplunkTrust
SplunkTrust

Try using this in your inputs.conf:

crcSalt =<SOURCE>

Here's documentation on inputs.conf that you can search for "crcSalt" to find more details about it.

http://docs.splunk.com/Documentation/Splunk/6.2.0/Admin/Inputsconf

The fishbucket is auto-magical and I have no clue why its always 0 mb in size etc on the disk. It's constantly used by splunk and data rotates within.

View solution in original post

0 Karma

jkat54
SplunkTrust
SplunkTrust

Try using this in your inputs.conf:

crcSalt =<SOURCE>

Here's documentation on inputs.conf that you can search for "crcSalt" to find more details about it.

http://docs.splunk.com/Documentation/Splunk/6.2.0/Admin/Inputsconf

The fishbucket is auto-magical and I have no clue why its always 0 mb in size etc on the disk. It's constantly used by splunk and data rotates within.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Can you provide the monitoring configuration (inputs.conf) that you're using for your monitoring?

0 Karma

ademargomes
Explorer

Hi somesoni2,

I tried both edit the post or send the file content as a comment but neither worked 😞

0 Karma

ddrillic
Ultra Champion

Why do you care about the fishbucket? ; -) after all it's an internal processing space...

what is this fishbucket thing

0 Karma

ademargomes
Explorer

Hi ddrillic, thanks for the comment.

I dont in fact, but the data is getting duplicated as Splunks seems to index same file regardless the cyclic redundancy checks.

0 Karma

ddrillic
Ultra Champion

oh - got it ; -)

0 Karma

ademargomes
Explorer

Hi there, thanks for your reply. I tried to edit the post but im not alowed. Hope it is alright to have it here:

[default]
index = default
_rcvbuf = 1572864
host = $decideOnStartup
evt_resolve_ad_obj = 0
evt_dc_name=
evt_dns_name=

[blacklist:$SPLUNK_HOME\etc\auth]

[monitor://$SPLUNK_HOME\var\log\splunk]
index = _internal

[monitor://$SPLUNK_HOME\etc\splunk.version]
_TCP_ROUTING = *
index = _internal
sourcetype=splunk_version

[batch://$SPLUNK_HOME\var\spool\splunk]
move_policy = sinkhole
crcSalt =

[batch://$SPLUNK_HOME\var\spool\splunk...stash_new]
queue = stashparsing
sourcetype = stash_new
move_policy = sinkhole
crcSalt =

[fschange:$SPLUNK_HOME\etc]

poll every 10 minutes

pollPeriod = 600

generate audit events into the audit index, instead of fschange events

signedaudit=true
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100

[udp]
connection_host=ip

[tcp]
acceptFrom=*
connection_host=dns

[splunktcp]
route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue
acceptFrom=*
connection_host=ip

[script]
interval = 60.0
start_by_shell = false

[SSL]

default cipher suites that splunk allows. Change this if you wish to increase the security

of SSL connections, or to lower it if you having trouble connecting to splunk.

cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
allowSslRenegotiation = true
sslQuietShutdown = false

Allow only sslv3 and above connections

sslVersions = *,-ssl2

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
interval = 10000000
source = wmi
sourcetype = wmi
queue = winparsing
persistentQueueSize=200MB

default single instance modular input restarts

[admon]
interval=60
baseline=0

[MonitorNoHandle]
interval=60

[WinEventLog]
interval=60
evt_resolve_ad_obj = 0
evt_dc_name=
evt_dns_name=

[WinNetMon]
interval=60

[WinPrintMon]
interval=60

[WinRegMon]
interval=60
baseline=0

[perfmon]
interval=300

[powershell]
interval=60

[powershell2]
interval=60

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...