topic Re: monitor latest file only in Monitoring Splunk

monitor latest file only

katalinali — Fri, 05 Nov 2010 17:33:17 GMT

I write a script to blacklist the oldest file but splunk don't reload inputs.conf until someone restart the services but it is not acceptable in my case. Do there are any options that control splunk to monitor only latest file or some rule like abandon oldest file when I need to monitor a folder that contains over thousands of file.

Re: monitor latest file only

ziegfried — Fri, 05 Nov 2010 17:52:12 GMT

The easiest way would be to monitor a separate folder and let the script place a symlink for the latest file there.

Re: monitor latest file only

dwaddle — Fri, 05 Nov 2010 21:42:41 GMT

The main caveat being sure you know when the latest file is 'done' and splunk has completely indexed it before redoing the symlink. Perhaps a good compromise might be to keep a symlink to the most current log and the one most-previous log. That way, Splunk can still have access to the prior 'latest' file right around the time of switchover.

Re: monitor latest file only

katalinali — Mon, 08 Nov 2010 09:36:46 GMT

It is windows platform and I don't have the right to control where the file should be placed. It may not work for me