topic Re: Issue with log rotation in Getting Data In

Issue with log rotation

maniu1609 — Tue, 12 Dec 2017 15:14:03 GMT

We have log files that are being monitored. Log files are deleted every 1 hour. We noticed that at the time of log rotation happens, some of the events are missed to indexed in splunk. How can I fix issue so that we don’t miss any data.

Re: Issue with log rotation

gcusello — Tue, 12 Dec 2017 15:21:18 GMT

Hi maniu1609,
the easiest way (if possible) should be to rotate logs in a different file so you can read the last logs in the new file, after a few time (1 or 2 minutes) you can delete it, because the problem is that logs between the last Splunk ingestion and deletion (max 30 seconds) are missed.
If it isn't possible you can reduce Forwarder read interval but anyway you lose something.

Bye.
Giuseppe

Re: Issue with log rotation

micahkemp — Tue, 12 Dec 2017 15:22:15 GMT

What does your monitor stanza look like, and how are you rotating (filename, compression, etc)?

Re: Issue with log rotation

maniu1609 — Wed, 13 Dec 2017 08:34:16 GMT

we have log file aaa.log and if the log file is older than 1hr, then file will be deleted. File monitor stanza just has index, sourcetype and host_regex details alone.