log file rotate and flush conundrum

pkd18 — Thu, 09 May 2019 09:40:42 GMT

Splunk forwarder monitors a file named AppLogs.txt. 3 times a day, a cron job copies the original file to a backup AppLogs.txt.timestamp and flushes the original file. Between the copy to backup and flush, the application writes some more logs into the original AppLogs.txt which is not captured by the splunk forwarder and lost when the original file is flushed. What would be the ideal solution to solve this problem?

Re: log file rotate and flush conundrum

somesoni2 — Thu, 09 May 2019 14:53:41 GMT

Monitor the rolled logs as well and ensure you're not using crcSalt = <SOURCE>. When you monitor the rolled logs as well, Splunk would know that it's a copy of the file already ingested (the CRC for the file would be same even if it's renamed) and would not re-ingest whole file again, just the new/missed content. You don't want to use crcSalt = <SOURCE> as it'll force the CRC to be generated based on full file path and the file path will change when you rename it, causing a re-ingestion.

topic Re: log file rotate and flush conundrum in Monitoring Splunk

log file rotate and flush conundrum

Re: log file rotate and flush conundrum