topic Re: What is the best way to use a universal forwarder to monitor a file that overwrites itself at random periods throughout the day? in Getting Data In https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-way-to-use-a-universal-forwarder-to-monitor-a/m-p/140644#M28820 <P>Relevant Questions / Answers:</P> <P><A href="http://answers.splunk.com/answers/61006/file-system-monitoring-of-text-files-that-are-overwritten.html">http://answers.splunk.com/answers/61006/file-system-monitoring-of-text-files-that-are-overwritten.html</A></P> <P><A href="http://answers.splunk.com/answers/6482/appending-vs-overwriting-tailed-log-files.html">http://answers.splunk.com/answers/6482/appending-vs-overwriting-tailed-log-files.html</A></P> <P><A href="http://answers.splunk.com/answers/218638/if-i-have-a-monitored-log-file-with-lines-that-are.html">http://answers.splunk.com/answers/218638/if-i-have-a-monitored-log-file-with-lines-that-are.html</A></P> <P><A href="http://answers.splunk.com/answers/2073/when-a-file-is-already-set-to-index-to-splunk-and-that-file-gets-overwritten-with-updates-meaning-instead-of-file-being-appended-does-splunk-smart-enough-to-not-to-reindex-already-indexed-data-and-only-index-whats-newly-aded.html">http://answers.splunk.com/answers/2073/when-a-file-is-already-set-to-index-to-splunk-and-that-file-gets-overwritten-with-updates-meaning-instead-of-file-being-appended-does-splunk-smart-enough-to-not-to-reindex-already-indexed-data-and-only-index-whats-newly-aded.html</A></P> Tue, 28 Jul 2015 23:05:01 GMT aljohnson_splun 2015-07-28T23:05:01Z What is the best way to use a universal forwarder to monitor a file that overwrites itself at random periods throughout the day? https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-way-to-use-a-universal-forwarder-to-monitor-a/m-p/140643#M28819 <P>Hoping that someone has seen this before and might be able to help.</P> <P>I'm fairly new to SPLUNK and I am attempting to send to the indexer a monitored file. This log file overwrites itself throughout the day at random periods based upon the software that generates it. I need to be able to have the file read and the contents pushed to the indexer. I need to make sure that we do not get duplicate values nor miss data from within the file.</P> <P>We are utilizing SPLUNK 6.1 and the Windows Universal Forwarder to monitor the file. Any insight on the best practice for this scenario would be greatly appreciated.</P> <P>Thanks.</P> Tue, 28 Jul 2015 21:58:57 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-way-to-use-a-universal-forwarder-to-monitor-a/m-p/140643#M28819 rfoley 2015-07-28T21:58:57Z Re: What is the best way to use a universal forwarder to monitor a file that overwrites itself at random periods throughout the day? https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-way-to-use-a-universal-forwarder-to-monitor-a/m-p/140644#M28820 <P>Relevant Questions / Answers:</P> <P><A href="http://answers.splunk.com/answers/61006/file-system-monitoring-of-text-files-that-are-overwritten.html">http://answers.splunk.com/answers/61006/file-system-monitoring-of-text-files-that-are-overwritten.html</A></P> <P><A href="http://answers.splunk.com/answers/6482/appending-vs-overwriting-tailed-log-files.html">http://answers.splunk.com/answers/6482/appending-vs-overwriting-tailed-log-files.html</A></P> <P><A href="http://answers.splunk.com/answers/218638/if-i-have-a-monitored-log-file-with-lines-that-are.html">http://answers.splunk.com/answers/218638/if-i-have-a-monitored-log-file-with-lines-that-are.html</A></P> <P><A href="http://answers.splunk.com/answers/2073/when-a-file-is-already-set-to-index-to-splunk-and-that-file-gets-overwritten-with-updates-meaning-instead-of-file-being-appended-does-splunk-smart-enough-to-not-to-reindex-already-indexed-data-and-only-index-whats-newly-aded.html">http://answers.splunk.com/answers/2073/when-a-file-is-already-set-to-index-to-splunk-and-that-file-gets-overwritten-with-updates-meaning-instead-of-file-being-appended-does-splunk-smart-enough-to-not-to-reindex-already-indexed-data-and-only-index-whats-newly-aded.html</A></P> Tue, 28 Jul 2015 23:05:01 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-way-to-use-a-universal-forwarder-to-monitor-a/m-p/140644#M28820 aljohnson_splun 2015-07-28T23:05:01Z Re: What is the best way to use a universal forwarder to monitor a file that overwrites itself at random periods throughout the day? https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-way-to-use-a-universal-forwarder-to-monitor-a/m-p/140645#M28821 <P>A standard file <CODE>monitor</CODE>-based <CODE>inputs.conf</CODE> entry should work just fine. It may give you some warm fuzzies to use a <CODE>batch</CODE>-based entry to have Splunk delete the file once it is forwarded if it comes in all at once (e.g. FTP) .</P> Tue, 28 Jul 2015 23:16:38 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-the-best-way-to-use-a-universal-forwarder-to-monitor-a/m-p/140645#M28821 woodcock 2015-07-28T23:16:38Z