×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
ebrand
New Member
Member since: ‎11-17-2016
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎11-17-2016
View All

Re: Why are my nearly identically-named log files ...

by in Getting Data In
‎11-21-2016 05:07 AM
‎11-21-2016 05:07 AM
Sorry, it was a typo error. We have this in our "Inputs.conf" file [monitor:///mnt/slv01/import/ATA42_NETWORK/NCD/.ncd(.gz)?] disabled = 0 index = aib_ata42_ncd sourcetype = ATA42_NCD crcSalt = ... View more

Re: Why are my nearly identically-named log files ...

by in Getting Data In
‎11-21-2016 12:47 AM
‎11-21-2016 12:47 AM
Thanks Iguinn, Sorry I forgot to precise that I am already using the "crcSalt = " option in my "Inputs.conf" file : [monitor:///mnt/slv01/import/ATA42_NETWORK/NCD/*.ncd(.gz)?] disabled = 0 index = aib_ata42_ncd sourcetype = ATA42_NCD crcSalt = The indexation issue occurs on a Splunk indexer server with version 6.2.0 (build 237341). This server is our PRODUCTION server Now I have tested this issue on a Splunk Light server with version 6.5.0 (build 59c8927def0f) This indexation issue does not occur with version 6.5.0 Light Could you confirm this is a bug in version 6.2.0 (build 237341) ? If yes, is there a patch ? ... View more

Why are my nearly identically-named log files not ...

by in Getting Data In
‎11-17-2016 11:19 PM
‎11-17-2016 11:19 PM
For our "ATA42_NETWORK" application we have indexed *.NCD files These files are located in an “input directory” monitored by Splunk for automatic indexing /mnt/slv01/import/ATA42_NETWORK/NCD When we perform a search request on our search head, we did not find all events for all *.NCD files For instance on the indexer server in “input directory” /mnt/slv01/import/ATA42_NETWORK/NCD we have NCD file for A350_MSN_0005 flight 55 and 56 [to102071@de0-lxsolp03 NCD]$ pwd /mnt/slv01/import/ATA42_NETWORK/NCD [to102071@de0-lxsolp03 NCD]$ ls -al A350_0005_F005* ... -r-xr-Sr-x 1 splunk splunk 138235 Apr 5 2016 A350_0005_F0055_2014_09_24_101025.ncd.gz -r-xr-Sr-x 1 splunk splunk 138235 Apr 5 2016 A350_0005_F0056_2014_09_25_105415.ncd.gz ... When we perform the following search on the search head, we found the events for flight 55 but there is no events for flight 56 index=aib_ata42_ncd source=/mnt/slv01/import/ATA42_NETWORK/NCD/A350_0005_F0055* index=aib_ata42_ncd source=/mnt/slv01/import/ATA42_NETWORK/NCD/A350_0005_F0056* Both NCD files have been indexed the same day (Apr 5 2016) and have the same unix rights in the “input directory” : (-r-xr-Sr-x) I have retrieved the two NCD files on my labtop, I have unzipped them and both NCD are strictly identical !!! (same md5sum) ➤ md5sum A350_0005_F0055_2014_09_24_101025.ncd 8edfdbfd2f2294512a84aed17f58c299 A350_0005_F0055_2014_09_24_101025.ncd ➤ md5sum A350_0005_F0056_2014_09_25_105415.ncd 8edfdbfd2f2294512a84aed17f58c299 A350_0005_F0056_2014_09_25_105415.ncd My question: It seems that we have an indexing issue. Do you have an idea of the possible root cause of the problem? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM