Hi dears,
I have a problem about the data input.
I monitored a directory, and found some data didn't be eaten. I don't know what's wrong with it.
My server works on Linux.
I try to move these file to Windows, and use the same props.conf.
Strange thing happened! I can find the data that they can't be searched on the Linux server.
I clean the index many times, wait several hours, but all useless.
Some people encountered the same situation?
Thanks a lot. 😃
Add:
crcSalt = <SOURCE>
as in:
[monitor://xxxxxxxxxxxxxxx]
disabled = 0
followTail = 0
host = xxxxxxxxxxxxxxx
index = xxxxxxxxxxxxxxx
crcSalt = <SOURCE>
sourcetype = iis_w3c_default
to your input in inputs.conf.
This should be typed exactly and splunk will have to be restarted. Monitor the logs again to see if you keep getting the errors you mentioned. Also watch for your data to start appearing. Let me know how it goes
Please check your splunkd.log file for errors related to the files you are trying to monitor with the following search command:
index="_internal" " error " NOT debug source="*splunkd.log*"
You can specify a time range to narrow your results.
Also, is the directory you are trying to monitor on windows or linux. And I believe that your index server is linux, is that correct?
On Linux, are you running Splunk as root or another user? If running as a different user, you might want to check the user has permissions to access all files in the directory you are monitoring.
I used 'chmod 777
Thanks, hulahoop. I login as root, and decompress these files to a folder.I will try to change these permissions of files to '0777'.But I am a bit confused, why some data in the file be not eaten? If the problem is the permissions, should all the data in the file be not eaten? Thanks. 😃
Add:
crcSalt = <SOURCE>
as in:
[monitor://xxxxxxxxxxxxxxx]
disabled = 0
followTail = 0
host = xxxxxxxxxxxxxxx
index = xxxxxxxxxxxxxxx
crcSalt = <SOURCE>
sourcetype = iis_w3c_default
to your input in inputs.conf.
This should be typed exactly and splunk will have to be restarted. Monitor the logs again to see if you keep getting the errors you mentioned. Also watch for your data to start appearing. Let me know how it goes
Please check your splunkd.log file for errors related to the files you are trying to monitor with the following search command:
index="_internal" " error " NOT debug source="*splunkd.log*"
You can specify a time range to narrow your results.
Also, is the directory you are trying to monitor on windows or linux. And I believe that your index server is linux, is that correct?
Great!Thank you very much! It works! 😃
Sorry about the above comment didn't show correctly. Please see my initial answer for the revisions.
Add:
crcSalt =
as in:
[monitor://xxxxxxxxxxxxxxxxxx]
disabled = 0
followTail = 0
host = xxxxxxxxxxxx
index = xxxxxxxxx
crcSalt =
to your input in inputs.conf. This should be typed exactly and splunk will have to be restarted. Monitor the logs again to see if you keep getting the errors you mentioned. Also watch for your data to start appearing. Let me know how it goes.
Thanks, justinhart.I find many errors about 'TailingProcessor - Ignoring path due to: File will not be read, is too small to match seekptr checksum...'.I think it may be about the permissions. I will try and tell you. And I don't setup a index server of Splunk.I just put them on one computer.