在一个多文件目录中,有若干文件一直无法成功索引。
分析过程
查看错误日志
# cd /opt/splunkforwarder/var/log/splunk
# grep "data" splunkd.log
其中data为索引失败的文件名称的一部分,意为查找出错的文件的日志
10-30-2019 20:08:55.341 +0800 ERROR TailReader - File will not be read, seekptr checksum did not match (file=/tmp/cobra/running/s88d75o4gnng_data). Last time we saw this initcrc, filename was different. You may wish to use larger initCrcLen for this sourcetype, or a CRC salt on this source. Consult the documentation or file a support case online at https://www.splunk.com/page/submit_issue for more info.
可以看出是initCrcLen出了问题,只需要针对性的调整即可
解决方法
更改input.conf文件
# vi /opt/splunkforwarder/etc/apps/search/local/inputs.conf
[monitor:///data/cobra]
disabled = false
index = cobra_new
initCrcLength = 2560000 //增加这一项
重启forwarder,问题解决
© 走过岁月...... | Powered by LOFTER