Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Multiple logs being written per day; only the first log is searchable

bspalding
Engager
3 weeks ago

I have an application writing multiple log files per day - the files are very similar to each other. The file naming convention is logfile_MM-DD-YYYY_hh-mm.log (e.g. logfile_06-12-2025-11-47.log). 

My universal forwarder is set up like this:

[monitor://E:\path\logfile*.log]
disabled = 0
crcSalt = <SOURCE>
index = XXXX
sourcetype = XXXX
_meta = env::prod-new

The first log file of the day is searchable in Splunk, but every file after that is not visible.


I have tried using logfile_*.log as the file name. I have also tried without the crcSalt command, but I'm not seeing any difference. 

Any suggestions?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Prewin27
Contributor
3 weeks ago

@bspalding 

Use initCrcLength if your files are extremely similar at the start and the UF is getting confused

Eg:
Note-Change initCrcLength value based on your similar header size

[monitor://E:\path\logfile*.log]
disabled = 0
initCrcLength = 256
crcSalt = <UNIQUESOURCE>
index = XXXX
sourcetype = XXXX
_meta = env::prod-new


Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Prewin27
Contributor
3 weeks ago

@bspalding 

Use initCrcLength if your files are extremely similar at the start and the UF is getting confused

Eg:
Note-Change initCrcLength value based on your similar header size

[monitor://E:\path\logfile*.log]
disabled = 0
initCrcLength = 256
crcSalt = <UNIQUESOURCE>
index = XXXX
sourcetype = XXXX
_meta = env::prod-new


Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
3 weeks ago

Do the files have a common header?  If so, you may need to set initCrcLength to a value larger than the header.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...