A monitored log file is changing on the forwarder. However, Splunk searches are not finding any new data that has been added. What are possible causes? (select all that apply)
A.
An admin ran splunk clean eventdata -index on the indexer.
B.
An admin has removed the Splunk fishbucket on the forwarder.
C.
The last 256 bytes of the monitored file are not changing.
D.
The first 256 bytes of the monitored file are not changing.
A monitored log file is changing on the forwarder, but Splunk searches are not finding any new data that has been added. This could be caused by two possible reasons: B. An admin has removed the Splunk fishbucket on the forwarder. C. The last 256 bytes of the monitored file are not changing. Option B is correct because the Splunk fishbucket is a directory that stores information about the files that have been monitored by Splunk, such as the file name, size, modification time, and CRC checksum. If an admin removes the fishbucket, Splunk will lose track of the files that have been previously indexed and will not index any new data from those files. Option C is correct because Splunk uses the CRC checksum of the last 256 bytes of a monitored file to determine if the file has changed since the last time it was read. If the last 256 bytes of the file are not changing, Splunk will assume that the file is unchanged and will not index any new data from it. Option A is incorrect because running the splunk clean eventdata -index command on the indexer will delete all the data from the specified index, but it will not affect the forwarder’s ability to send new data to the indexer. Option D is incorrect because Splunk does not use the first 256 bytes of a monitored file to determine if the file has changed12
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit