- Splunk Answers
- :
- Splunk Platform Products
- :
- Splunk Enterprise
- :
- Re: Why is my _thefishbucket always empty?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
This is my first post in here. I have installed Splunk Light a few weeks ago and have been using it for reporting on various applications logs.
Today I deployed a few scripts that copy log files to my splunk server which is monitoring the folder and reading the logs.
Now, if a file is copied twice (or more) to the folder, Splunk Light reindexes it and duplicates the data.
I read about it and notice my _thefishbucket was empty no matter what. So i decided that it was because is was the Light version and uninstalled it and reinstalled Splunk but now the Enterprise version.
Still my _thefishbucket index still empty (0 events).
I dont know what to do to turn on the cyclic redundancy checks and it is killing the proposition of using Splunk for logs reporting.
So my questions are: how do I switch it on? and shouldn't it work by default?
Thanks in advance for your help,
Ademar
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using this in your inputs.conf:
crcSalt =<SOURCE>
Here's documentation on inputs.conf that you can search for "crcSalt" to find more details about it.
http://docs.splunk.com/Documentation/Splunk/6.2.0/Admin/Inputsconf
The fishbucket is auto-magical and I have no clue why its always 0 mb in size etc on the disk. It's constantly used by splunk and data rotates within.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using this in your inputs.conf:
crcSalt =<SOURCE>
Here's documentation on inputs.conf that you can search for "crcSalt" to find more details about it.
http://docs.splunk.com/Documentation/Splunk/6.2.0/Admin/Inputsconf
The fishbucket is auto-magical and I have no clue why its always 0 mb in size etc on the disk. It's constantly used by splunk and data rotates within.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you provide the monitoring configuration (inputs.conf) that you're using for your monitoring?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi somesoni2,
I tried both edit the post or send the file content as a comment but neither worked 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why do you care about the fishbucket? ; -) after all it's an internal processing space...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ddrillic, thanks for the comment.
I dont in fact, but the data is getting duplicated as Splunks seems to index same file regardless the cyclic redundancy checks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
oh - got it ; -)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there, thanks for your reply. I tried to edit the post but im not alowed. Hope it is alright to have it here:
[default]
index = default
_rcvbuf = 1572864
host = $decideOnStartup
evt_resolve_ad_obj = 0
evt_dc_name=
evt_dns_name=
[blacklist:$SPLUNK_HOME\etc\auth]
[monitor://$SPLUNK_HOME\var\log\splunk]
index = _internal
[monitor://$SPLUNK_HOME\etc\splunk.version]
_TCP_ROUTING = *
index = _internal
sourcetype=splunk_version
[batch://$SPLUNK_HOME\var\spool\splunk]
move_policy = sinkhole
crcSalt =
[batch://$SPLUNK_HOME\var\spool\splunk...stash_new]
queue = stashparsing
sourcetype = stash_new
move_policy = sinkhole
crcSalt =
[fschange:$SPLUNK_HOME\etc]
poll every 10 minutes
pollPeriod = 600
generate audit events into the audit index, instead of fschange events
signedaudit=true
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100
[udp]
connection_host=ip
[tcp]
acceptFrom=*
connection_host=dns
[splunktcp]
route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue
acceptFrom=*
connection_host=ip
[script]
interval = 60.0
start_by_shell = false
[SSL]
default cipher suites that splunk allows. Change this if you wish to increase the security
of SSL connections, or to lower it if you having trouble connecting to splunk.
cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
allowSslRenegotiation = true
sslQuietShutdown = false
Allow only sslv3 and above connections
sslVersions = *,-ssl2
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
interval = 10000000
source = wmi
sourcetype = wmi
queue = winparsing
persistentQueueSize=200MB
default single instance modular input restarts
[admon]
interval=60
baseline=0
[MonitorNoHandle]
interval=60
[WinEventLog]
interval=60
evt_resolve_ad_obj = 0
evt_dc_name=
evt_dns_name=
[WinNetMon]
interval=60
[WinPrintMon]
interval=60
[WinRegMon]
interval=60
baseline=0
[perfmon]
interval=300
[powershell]
interval=60
[powershell2]
interval=60
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
