Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Reindex gz files not working : Why is already indexed as a non-archive?

splunkreal
Motivator
‎07-20-2022 07:22 AM

Hello,
we have issue reindexing archives as gz files even using crcSalt = <SOURCE> or crcSalt = REINDEXMPLEASE
We CAN'T go on each UF and clean fishbucket.

 

UF (V7.1.4) linux splunkd.log :
07-19-2022 18:19:09.129 +0200 INFO ArchiveProcessor - Handling file=/var/log/MAJ-OS.log-20220601.gz
07-19-2022 18:19:09.130 +0200 INFO ArchiveProcessor - reading path=/var/log/MAJ-OS.log-20220601.gz (seek=0 len=1356)
07-19-2022 18:19:09.281 +0200 INFO ArchiveProcessor - Archive with path="/var/log/MAJ-OS.log-20220601.gz" was already indexed as a non-archive, skipping.
07-19-2022 18:19:09.281 +0200 INFO ArchiveProcessor - Finished processing file '/var/log/MAJ-OS.log-20220601.gz', removing from stats

It also says "new tailer already processed path..."


inputs.conf app from deployment-apps (V8.2.2) :
[monitor:///var/log/MAJ-OS.log*]
blacklist = archives
disabled = false
index = inf-servers
sourcetype = MAJ-OS
crcSalt = <SOURCE>

 

Thanks for your help.

 

 

* If this helps, please upvote or accept solution if it solved *
Labels (3)
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

splunkreal
Motivator
‎07-21-2022 03:17 AM

Solved with support help:

 

add:

crcSalt = <SOURCE>

initCrcLength = 1000

ignoreOlderThan = 90d

 

---

 

Another personal workaround that could do the job : example :

 

[script://./bin/MAJ-OS_zcat.sh]

source = MAJ-OS_zcat

interval = 2592000

disabled = true

index = inf-servers

sourcetype = MAJ-OS

 

MAJ-OS_zcat.sh :

#!/bin/sh

content=`zcat /var/log/MAJ-OS.log-20220701.gz | grep -i status`

echo $content "(catchup 07/20/2022)"

 

🙂

* If this helps, please upvote or accept solution if it solved *

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

splunkreal
Motivator
‎07-21-2022 03:17 AM

Solved with support help:

 

add:

crcSalt = <SOURCE>

initCrcLength = 1000

ignoreOlderThan = 90d

 

---

 

Another personal workaround that could do the job : example :

 

[script://./bin/MAJ-OS_zcat.sh]

source = MAJ-OS_zcat

interval = 2592000

disabled = true

index = inf-servers

sourcetype = MAJ-OS

 

MAJ-OS_zcat.sh :

#!/bin/sh

content=`zcat /var/log/MAJ-OS.log-20220701.gz | grep -i status`

echo $content "(catchup 07/20/2022)"

 

🙂

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...