https://community.splunk.com/t5/Getting-Data-In/How-will-followTail-1-work-on-a-symlink-that-keeps-changing/m-p/86453#M17973 <P>Thanks Simeon, that is exactly how we would expect the system to operate and it's great to have confirmation of that behavior.</P> Wed, 07 Mar 2012 20:11:27 GMT beaumaris 2012-03-07T20:11:27Z https://community.splunk.com/t5/Getting-Data-In/How-will-followTail-1-work-on-a-symlink-that-keeps-changing/m-p/86449#M17969 <P>We are trying to monitor logs in a directory that are created by an application that does the following</P> <OL> <LI>Creates a new filename that has a date/time stamp in the file name</LI> <LI>Points a symbol link (filename working.log) to the newly created file</LI> <LI>At regular intervals (a period of minutes) it repeats steps 1 and 2</LI> </OL> <P>In essence we have two options for monitoring here: we can monitor the directory, which detects the newly created files, waits for the end of file to not change and then uploads the file contents; or we can use followTail=1 on the working.log file and not worry about all the individually-named files. For the second option, we're assuming that Splunk will be able to follow the "end" of the working.log file even as the symlink is changed from one physical file to the next. If Splunk does correctly follow the end of the working.log file, then the expectation is that this will reduce the time it takes to upload the logged data since we won't have to wait for the "end of file" to be detected.</P> <P>Will Splunk work correctly on a symlink that is changes the target file every few minutes?</P> Wed, 07 Mar 2012 14:48:21 GMT https://community.splunk.com/t5/Getting-Data-In/How-will-followTail-1-work-on-a-symlink-that-keeps-changing/m-p/86449#M17969 beaumaris 2012-03-07T14:48:21Z https://community.splunk.com/t5/Getting-Data-In/How-will-followTail-1-work-on-a-symlink-that-keeps-changing/m-p/86450#M17970 <P>What is the purpose of the symlink? Splunk should automatically handle the new file unless all of the events are the same as the previous file.</P> Wed, 07 Mar 2012 16:52:42 GMT https://community.splunk.com/t5/Getting-Data-In/How-will-followTail-1-work-on-a-symlink-that-keeps-changing/m-p/86450#M17970 Simeon 2012-03-07T16:52:42Z https://community.splunk.com/t5/Getting-Data-In/How-will-followTail-1-work-on-a-symlink-that-keeps-changing/m-p/86451#M17971 <P>The log files and the symlink are being managed by a 3rd party application, so it is unclear to us why they take this approach. However, given that the symlink exists, the thinking is that if Splunk does follow the symlink as it gets set to different targets, then we can use followTail=1 on the working.log file and the events will be delivered sooner, since they will be detected as soon as they are written to disk rather than waiting for Splunk to determine that the file is no longer being written to which can take many seconds.</P> Wed, 07 Mar 2012 17:07:08 GMT https://community.splunk.com/t5/Getting-Data-In/How-will-followTail-1-work-on-a-symlink-that-keeps-changing/m-p/86451#M17971 beaumaris 2012-03-07T17:07:08Z https://community.splunk.com/t5/Getting-Data-In/How-will-followTail-1-work-on-a-symlink-that-keeps-changing/m-p/86452#M17972 <P>Splunk should follow the symlink once the timestamp/modtime is updated. So in your case, you can point Splunk at the file which the app is updating. </P> Wed, 07 Mar 2012 19:24:19 GMT https://community.splunk.com/t5/Getting-Data-In/How-will-followTail-1-work-on-a-symlink-that-keeps-changing/m-p/86452#M17972 Simeon 2012-03-07T19:24:19Z https://community.splunk.com/t5/Getting-Data-In/How-will-followTail-1-work-on-a-symlink-that-keeps-changing/m-p/86453#M17973 <P>Thanks Simeon, that is exactly how we would expect the system to operate and it's great to have confirmation of that behavior.</P> Wed, 07 Mar 2012 20:11:27 GMT https://community.splunk.com/t5/Getting-Data-In/How-will-followTail-1-work-on-a-symlink-that-keeps-changing/m-p/86453#M17973 beaumaris 2012-03-07T20:11:27Z