Hi All, Currently we got an issue reported by a user -- he is unable to see the current data in Splunk. When checked from Splunk, we could see data being indexed till yesterday at 10:30 AM from the remote machine under this path /var/bsm.
Inputs.conf details:
[monitor:///var/bsm]
sourcetype = unix:host:bsm
index = unix
disabled = 0
When validated in the remote machine test01 under the path /var/bsm/ from where the splunk is reading the file, we could see the below log files are present but Splunk is not reading the log files.
/var/bsm/20171023.bsm.log
/var/bsm/20171024.bsm.log
By executing the below query, we could see the below error in splunkd.log
index="_internal" host="vcsmer01*" log_level=ERROR
10-24-2017 11:51:28.311 -0400 ERROR TailingProcessor - File will not be read, is too small to match seekptr checksum (file=/var/bsm/20171021.bsm.log). Last time we saw this initcrc, filename was different. You may wish to use a CRC salt on this source. Consult the documentation or file a support case online at http://www.splunk.com/page/submit_issue for more info.
10-24-2017 11:51:27.088 -0400 ERROR TailingProcessor - File will not be read, is too small to match seekptr checksum (file=/var/bsm/20171024.bsm.log). Last time we saw this initcrc, filename was different. You may wish to use a CRC salt on this source. Consult the documentation or file a support case online at http://www.splunk.com/page/submit_issue for more info.
Kindly let me know how to fix this issue.
↧