Splunk Search

Splunk indexing issues for logs: WatchedFile - Checksum for seekptr didn't match

rchittip
Path Finder

Hello Everyone,

I have a questions regarding ingesting log files which doesn't have time stamp in the file name.

I am receiving the following error in splunkd.log file

01-08-2018 02:30:21.007 -0600 INFO WatchedFile - Checksum for seekptr didn't match, will re-read entire file='/abcpad/gatst01/outbound/sys_data.log'.
01-08-2018 02:30:21.007 -0600 INFO WatchedFile - Will begin reading at offset=0 for file='/abcpad/gatst01/outbound/sys_data.log'.

FYI, Log file is generated through a script with the same filename in every 15 mins. Logfile rolled over with new changes.

Request to help me where I'm going wrong in here. below is the log file.

And here is the sample log file:

01-08-2018 00:24:57.487 Used Space: 30055416

Free Space: 67914024

Usage Percent: 31%

File System: /u02

Total Size: 309637120

Used Space: 32651888

Free Space: 261259152

Usage Percent: 12%

File System: /u03

Total Size: 877304620

Used Space: 559123000

Free Space: 273617140

Usage Percent: 68%

File System: /u04

Total Size: 1032123136

Used Space: 779034500

Free Space: 200659836

Usage Percent: 80%

File System: /u05

Total Size: 103212320

Used Space: 67048924

Free Space: 30920516

Usage Percent: 69%

File System: /u06

Total Size: 659131600

Used Space: 285883800

Free Space: 339770612

Usage Percent: 46%

File System: /u07

Total Size: 294155264

Used Space: 64517568

Free Space: 214696256

Usage Percent: 24%

File System: /u08

Total Size: 294155264

Used Space: 180619292

Free Space: 98594532

Usage Percent: 65%

File System: /u09

Total Size: 294155264

Used Space: 174681436

Free Space: 104532388

Usage Percent: 63%

01-08-2018 00:24:57.500 MemTotal: 51629136 kB MemFree: 483604 kB Cached: 41778468 kB SwapCached: 10080 kB SwapTotal: 10751992 kB SwapFree: 10056880 kB

Thanks,

Ramu Chittiprolu

Tags (1)
0 Karma
1 Solution

HiroshiSatoh
Champion

The checksum is determined by default by the first 256 bytes. Therefore, this log with the time at the beginning of the log is the correct action to read the entire log each time.

Even if the file names are different, Splunk will judge the same file if the checksum is the same.

View solution in original post

0 Karma

HiroshiSatoh
Champion

The checksum is determined by default by the first 256 bytes. Therefore, this log with the time at the beginning of the log is the correct action to read the entire log each time.

Even if the file names are different, Splunk will judge the same file if the checksum is the same.

0 Karma

rchittip
Path Finder

Thanks Hiroshi.
So what is the probable resolution in ingesting the logs to Splunk in this case.

0 Karma

rchittip
Path Finder

Dears, Does anyone have update on my question ?

FYI, below is the input.conf file stanza

Logs

[monitor:///abcpad/gatst0*/outbound/sys_data.log]
index=oraclelen
sourcetype=abcpad
crcSalt=

followTail=0

alwaysOpenFile=1

initCrcLength = 3000

crcSalt=REINDEXME01

[servername:admin]/opt/splunk/deploy/splunk/etc/deployment-apps/inputs_oracle/local>

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...