All Apps and Add-ons

Can Splunk read Windows log file data based on file size change alone?


Q: Is there a simple solution that would enable Splunk to index log file changes on Windows 2008 as they happen?

The Problem:
An application that writes text log files has recently been moved from Windows 2003 to (64 bit) Windows 2008 and we have been retesting it. Microsoft appear to have changed the behaviour of the file system descriptors.

On Windows 2003, Splunk 5.0.2 had been monitoring these log files and indexing log file data lines as they changed.

On Windows 2008, while the Log File Size increases, the modification date+time is remaining unchanged until the text log file closes (at end of day). Splunk 5.0.2 is no longer able to index log file changes as they happen, but only when the file is closed by the application - and at which point the modification date is updated.

Tags (1)
0 Karma


You can give alwaysOpenFile=1 a shot, see for more info.


Thanks - this suggestion helps somewhat.

Tried as suggested and bouncing Splunk, but the indexed data did not change. When I also updated "ignoreolderthan" to go back beyond the Windows last modification date of the log file and again bounced Splunk, then everything in the log file got read in.

However, since then the monitored log file has again been updated (file size has grown, I can view the changed content in Notepad, etc.) but the modification date is still unchanged - and those additional lines have not been indexed by Splunk.

Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of Splunk APM’s and Splunk RUM’s streaming infrastructure in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...