https://community.splunk.com/t5/Getting-Data-In/Forwarder-stop-reads-monitored-logs-after-restart/m-p/453467#M78552 <P>We had similar issues with a unix forwarder. I has to monitor over a million of files. It stopped sending logfiles and had high CPU consumption. I assume you are struggling with the same issue as we did. </P> <P>The UF doesnt like haveing lots of open files like you configured with <CODE>alwaysOpenfile=1</CODE> Even if you get rid of this option I doubt that the UF will work. </P> <P>Try using the <CODE>batch://</CODE>option. It reads and deletes the file. if you dont want to delete the file on your server I suggest, that you write a script in which the files are copied to a temporary directory. </P> <P>In the end you will have configuration like this (inputs.conf):</P> <PRE><CODE>[batch://c:\FirstFolder\Log\service\System\20*\PROXY\...] disabled = false index=my_index sourcetype=proxy move_policy = sinkhole </CODE></PRE> Fri, 22 Feb 2019 13:47:08 GMT markusspitzli 2019-02-22T13:47:08Z https://community.splunk.com/t5/Getting-Data-In/Forwarder-stop-reads-monitored-logs-after-restart/m-p/453466#M78551 <P>Hi to all,</P> <P>I have several Forwarders on Windows that monitor more than 20k items each (folder and logs inside them).<BR /> In total I'm monitoring more than 200k logs.</P> <P>This is my inputs.conf deployed on those forwarders:</P> <PRE><CODE>[monitor://c:\FirstFolder\Log\service\System\20*\PROXY\...] disabled = false index=my_index sourcetype=proxy alwaysOpenFile=1 [monitor://c:\\FirstFolder\Log\service\System\20*\00*\*.log] disabled = false index=my_index sourcetype=process alwaysOpenFile=1 [monitor://c:\\FirstFolder\Log\service\System\20*\00*.log] disabled = false index=my_index sourcetype=device alwaysOpenFile=1 [monitor://c:\\FirstFolder\Log\service\System\20*\ERROR_*.log] disabled = false index=main sourcetype=error alwaysOpenFile=1 </CODE></PRE> <P>When I restart the forwarders, they does not monitor anymore the files that the forwarders read before, even if the log files will be written after the restart.</P> Fri, 26 Oct 2018 13:41:05 GMT https://community.splunk.com/t5/Getting-Data-In/Forwarder-stop-reads-monitored-logs-after-restart/m-p/453466#M78551 robertosegantin 2018-10-26T13:41:05Z https://community.splunk.com/t5/Getting-Data-In/Forwarder-stop-reads-monitored-logs-after-restart/m-p/453467#M78552 <P>We had similar issues with a unix forwarder. I has to monitor over a million of files. It stopped sending logfiles and had high CPU consumption. I assume you are struggling with the same issue as we did. </P> <P>The UF doesnt like haveing lots of open files like you configured with <CODE>alwaysOpenfile=1</CODE> Even if you get rid of this option I doubt that the UF will work. </P> <P>Try using the <CODE>batch://</CODE>option. It reads and deletes the file. if you dont want to delete the file on your server I suggest, that you write a script in which the files are copied to a temporary directory. </P> <P>In the end you will have configuration like this (inputs.conf):</P> <PRE><CODE>[batch://c:\FirstFolder\Log\service\System\20*\PROXY\...] disabled = false index=my_index sourcetype=proxy move_policy = sinkhole </CODE></PRE> Fri, 22 Feb 2019 13:47:08 GMT https://community.splunk.com/t5/Getting-Data-In/Forwarder-stop-reads-monitored-logs-after-restart/m-p/453467#M78552 markusspitzli 2019-02-22T13:47:08Z https://community.splunk.com/t5/Getting-Data-In/Forwarder-stop-reads-monitored-logs-after-restart/m-p/453468#M78553 <P>Hi @robertosegantin ,</P> <P>Did you try cheking splunk internal logs? Are der any ERRORS in log_level?</P> <PRE><CODE>index=_internal </CODE></PRE> Fri, 22 Feb 2019 15:38:53 GMT https://community.splunk.com/t5/Getting-Data-In/Forwarder-stop-reads-monitored-logs-after-restart/m-p/453468#M78553 vinod94 2019-02-22T15:38:53Z