https://community.splunk.com/t5/Getting-Data-In/SplunkForwarder-abruptly-stop-forwarding-logs/m-p/570872#M101152 <P>Hi guys... I have a splunk forwarder instance v8.2.1 on a AIX server. I have a custom app configured on which I am monitoring a few logs and forwarding them to an indexer.&nbsp;</P><P>I am having a weird problem where the forwarder stops sending data every day at 1 PM and resumes sending data feed at 1 AM. So, I would have no data consumed between 1 PM to 1AM. Any suggestions on what could be the issue ?&nbsp;</P><P>However, I am also forwarding splunkd.log to the same indexers and I see that log data all thru the day. The issue I am facing is only with one of the custom app I have on this instance.&nbsp;</P><P>I am sharing inputs.conf and props.conf entries&nbsp;</P><P>========== inputs.conf =========</P><P>[monitor:///log/mycustomereport/mycustomereport.log*]<BR />disabled = false<BR />followTail = 0<BR />sourcetype =mycustomereport<BR />blacklist = \.gz<BR />index = 20000_java_app_idx<BR />ignoreOlderThan=2h</P><P>========== props.conf =========</P><P>[mycustomereport]<BR />TIME_PREFIX=\w+\|<BR />TIME_FORMAT=%m/%d/%Y %I:%M:%S %3Q %p<BR />TRUNCATE = 0<BR />MAX_EVENTS = 10000<BR />SHOULD_LINEMERGE = false<BR />KV_MODE = none<BR />LINE_BREAKER = ([\n\r]+)mycustomereport<BR />MAX_TIMESTAMP_LOOKAHEAD = 40</P><P>PS: I do see that log file I am monitoring is having data written to it consistently.&nbsp;</P><P>I did enable debug logs... i dont see anything written which could helped me understand the issue. I also dont see any crash file generated.&nbsp;</P> Wed, 13 Oct 2021 23:00:49 GMT vik 2021-10-13T23:00:49Z https://community.splunk.com/t5/Getting-Data-In/SplunkForwarder-abruptly-stop-forwarding-logs/m-p/570872#M101152 <P>Hi guys... I have a splunk forwarder instance v8.2.1 on a AIX server. I have a custom app configured on which I am monitoring a few logs and forwarding them to an indexer.&nbsp;</P><P>I am having a weird problem where the forwarder stops sending data every day at 1 PM and resumes sending data feed at 1 AM. So, I would have no data consumed between 1 PM to 1AM. Any suggestions on what could be the issue ?&nbsp;</P><P>However, I am also forwarding splunkd.log to the same indexers and I see that log data all thru the day. The issue I am facing is only with one of the custom app I have on this instance.&nbsp;</P><P>I am sharing inputs.conf and props.conf entries&nbsp;</P><P>========== inputs.conf =========</P><P>[monitor:///log/mycustomereport/mycustomereport.log*]<BR />disabled = false<BR />followTail = 0<BR />sourcetype =mycustomereport<BR />blacklist = \.gz<BR />index = 20000_java_app_idx<BR />ignoreOlderThan=2h</P><P>========== props.conf =========</P><P>[mycustomereport]<BR />TIME_PREFIX=\w+\|<BR />TIME_FORMAT=%m/%d/%Y %I:%M:%S %3Q %p<BR />TRUNCATE = 0<BR />MAX_EVENTS = 10000<BR />SHOULD_LINEMERGE = false<BR />KV_MODE = none<BR />LINE_BREAKER = ([\n\r]+)mycustomereport<BR />MAX_TIMESTAMP_LOOKAHEAD = 40</P><P>PS: I do see that log file I am monitoring is having data written to it consistently.&nbsp;</P><P>I did enable debug logs... i dont see anything written which could helped me understand the issue. I also dont see any crash file generated.&nbsp;</P> Wed, 13 Oct 2021 23:00:49 GMT https://community.splunk.com/t5/Getting-Data-In/SplunkForwarder-abruptly-stop-forwarding-logs/m-p/570872#M101152 vik 2021-10-13T23:00:49Z https://community.splunk.com/t5/Getting-Data-In/SplunkForwarder-abruptly-stop-forwarding-logs/m-p/570874#M101154 <P>Is there a process that restarts the UF at 1am?</P><P>Why <FONT face="courier new,courier">ignoreOlderThan=2h</FONT>?&nbsp; If the log file's mod time ever becomes 2 hours old the log file will be ignored until the UF restarts.</P> Thu, 14 Oct 2021 00:06:30 GMT https://community.splunk.com/t5/Getting-Data-In/SplunkForwarder-abruptly-stop-forwarding-logs/m-p/570874#M101154 richgalloway 2021-10-14T00:06:30Z https://community.splunk.com/t5/Getting-Data-In/SplunkForwarder-abruptly-stop-forwarding-logs/m-p/570876#M101155 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;</P><P>The file is constantly updated with data. I did try removing&nbsp;<SPAN>ignoreOlderThan. But I didn't&nbsp;see the logs flow.&nbsp;</SPAN></P><P><SPAN>UF does not have any scheduled restarts at 1AM. The process runs for days without any restart but still has the same same behavior&nbsp;every single day.&nbsp;</SPAN></P> Thu, 14 Oct 2021 00:11:40 GMT https://community.splunk.com/t5/Getting-Data-In/SplunkForwarder-abruptly-stop-forwarding-logs/m-p/570876#M101155 vik 2021-10-14T00:11:40Z