All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Can Splunk read Windows log file data based on file size change alone?

john_goody_bt
Engager
‎02-06-2014 04:43 AM

Q: Is there a simple solution that would enable Splunk to index log file changes on Windows 2008 as they happen?

The Problem:
An application that writes text log files has recently been moved from Windows 2003 to (64 bit) Windows 2008 and we have been retesting it. Microsoft appear to have changed the behaviour of the file system descriptors.

On Windows 2003, Splunk 5.0.2 had been monitoring these log files and indexing log file data lines as they changed.

On Windows 2008, while the Log File Size increases, the modification date+time is remaining unchanged until the text log file closes (at end of day). Splunk 5.0.2 is no longer able to index log file changes as they happen, but only when the file is closed by the application - and at which point the modification date is updated.

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-07-2014 09:29 AM

You can give alwaysOpenFile=1 a shot, see http://docs.splunk.com/Documentation/Splunk/6.0.1/Admin/Inputsconf for more info.

Reply

john_goody_bt
Engager
‎02-07-2014 11:40 AM

Thanks - this suggestion helps somewhat.

Tried as suggested and bouncing Splunk, but the indexed data did not change. When I also updated "ignoreolderthan" to go back beyond the Windows last modification date of the log file and again bounced Splunk, then everything in the log file got read in.

However, since then the monitored log file has again been updated (file size has grown, I can view the changed content in Notepad, etc.) but the modification date is still unchanged - and those additional lines have not been indexed by Splunk.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...