All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Can Splunk read Windows log file data based on file size change alone?

john_goody_bt
Engager
‎02-06-2014 04:43 AM

Q: Is there a simple solution that would enable Splunk to index log file changes on Windows 2008 as they happen?

The Problem:
An application that writes text log files has recently been moved from Windows 2003 to (64 bit) Windows 2008 and we have been retesting it. Microsoft appear to have changed the behaviour of the file system descriptors.

On Windows 2003, Splunk 5.0.2 had been monitoring these log files and indexing log file data lines as they changed.

On Windows 2008, while the Log File Size increases, the modification date+time is remaining unchanged until the text log file closes (at end of day). Splunk 5.0.2 is no longer able to index log file changes as they happen, but only when the file is closed by the application - and at which point the modification date is updated.

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-07-2014 09:29 AM

You can give alwaysOpenFile=1 a shot, see http://docs.splunk.com/Documentation/Splunk/6.0.1/Admin/Inputsconf for more info.

Reply

john_goody_bt
Engager
‎02-07-2014 11:40 AM

Thanks - this suggestion helps somewhat.

Tried as suggested and bouncing Splunk, but the indexed data did not change. When I also updated "ignoreolderthan" to go back beyond the Windows last modification date of the log file and again bounced Splunk, then everything in the log file got read in.

However, since then the monitored log file has again been updated (file size has grown, I can view the changed content in Notepad, etc.) but the modification date is still unchanged - and those additional lines have not been indexed by Splunk.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...