Hello Everyone,
I have a questions regarding ingesting log files which doesn't have time stamp in the file name.
I am receiving the following error in splunkd.log file
01-08-2018 02:30:21.007 -0600 INFO WatchedFile - Checksum for seekptr didn't match, will re-read entire file='/abcpad/gatst01/outbound/sys_data.log'.
01-08-2018 02:30:21.007 -0600 INFO WatchedFile - Will begin reading at offset=0 for file='/abcpad/gatst01/outbound/sys_data.log'.
FYI, Log file is generated through a script with the same filename in every 15 mins. Logfile rolled over with new changes.
Request to help me where I'm going wrong in here. below is the log file.
And here is the sample log file:
01-08-2018 00:24:57.487 Used Space: 30055416
Free Space: 67914024
Usage Percent: 31%
File System: /u02
Total Size: 309637120
Used Space: 32651888
Free Space: 261259152
Usage Percent: 12%
File System: /u03
Total Size: 877304620
Used Space: 559123000
Free Space: 273617140
Usage Percent: 68%
File System: /u04
Total Size: 1032123136
Used Space: 779034500
Free Space: 200659836
Usage Percent: 80%
File System: /u05
Total Size: 103212320
Used Space: 67048924
Free Space: 30920516
Usage Percent: 69%
File System: /u06
Total Size: 659131600
Used Space: 285883800
Free Space: 339770612
Usage Percent: 46%
File System: /u07
Total Size: 294155264
Used Space: 64517568
Free Space: 214696256
Usage Percent: 24%
File System: /u08
Total Size: 294155264
Used Space: 180619292
Free Space: 98594532
Usage Percent: 65%
File System: /u09
Total Size: 294155264
Used Space: 174681436
Free Space: 104532388
Usage Percent: 63%
01-08-2018 00:24:57.500 MemTotal: 51629136 kB MemFree: 483604 kB Cached: 41778468 kB SwapCached: 10080 kB SwapTotal: 10751992 kB SwapFree: 10056880 kB
Thanks,
Ramu Chittiprolu
The checksum is determined by default by the first 256 bytes. Therefore, this log with the time at the beginning of the log is the correct action to read the entire log each time.
Even if the file names are different, Splunk will judge the same file if the checksum is the same.
The checksum is determined by default by the first 256 bytes. Therefore, this log with the time at the beginning of the log is the correct action to read the entire log each time.
Even if the file names are different, Splunk will judge the same file if the checksum is the same.
Thanks Hiroshi.
So what is the probable resolution in ingesting the logs to Splunk in this case.
Dears, Does anyone have update on my question ?
FYI, below is the input.conf file stanza
[monitor:///abcpad/gatst0*/outbound/sys_data.log]
index=oraclelen
sourcetype=abcpad
crcSalt=
[servername:admin]/opt/splunk/deploy/splunk/etc/deployment-apps/inputs_oracle/local>