All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

windows file locking?

bfaber
Communicator
‎05-24-2010 03:54 PM

can Splunk read an windows share when files are still be written to it?

Reply
1 Solution
Solved! Jump to solution
Solution

Michael_Wilde
Splunk Employee
Splunk Employee
‎05-26-2010 02:30 AM

Sure, if the file isn't locked by an application. Windows has a much different way of locking files that UNIX (which has the concept of "inodes"). It can lock them up so tight that you can't even open them read-only. For databases, this is a good idea. For logfiles, this is inconvenient. A good way to test whether splunk will be able to monitor/index a file while its being written is to open it with Notepad. If Notepad can't open it, Splunk probably won't be able to. But there are some exceptions. Microsoft Exchange's Message Tracking Log. We've seen Splunk have no problem indexing it, but a user couldn't open it in notepad... why?

When a windows app creates an object for accessing/writing a file with the CreateFile() class, there are some options that it can open/create that file with. Those options are around sharing access to the file.

http://msdn.microsoft.com/en-us/library/aa363874.aspx

I'm just going to guess... that Exchange uses CreateFile() and has sharing set to "FILE_SHARE_READ". I'm also going to guess when notepad uses CreateFile() --which is also used for opening a file, it tries to get GENERIC_WRITE privs on a file...

As engineering has verified for me, when Splunk uses CreateFile() to access a file, it first tells Windows it would like "GENERIC_READ" on the file and options that basically allow reading, writing, or deleting by other apps. Splunk is going to do its best to open the file, not lock it in anyway, but if other apps need to open that file as well, no problem.

If i am right about how Notepad opens a file with GENERIC_WRITE, then thats why is why Splunk can read it.. when Notepad cant.

More about file access: http://msdn.microsoft.com/en-us/library/aa364399(VS.85).aspx

In most cases where Splunk cannot read a logfile it is sadly a failure of the app developer who has chosen to not share read access to the log file while its being written.

View solution in original post

Reply
Solved! Jump to solution
Solution

Michael_Wilde
Splunk Employee
Splunk Employee
‎05-26-2010 02:30 AM

Sure, if the file isn't locked by an application. Windows has a much different way of locking files that UNIX (which has the concept of "inodes"). It can lock them up so tight that you can't even open them read-only. For databases, this is a good idea. For logfiles, this is inconvenient. A good way to test whether splunk will be able to monitor/index a file while its being written is to open it with Notepad. If Notepad can't open it, Splunk probably won't be able to. But there are some exceptions. Microsoft Exchange's Message Tracking Log. We've seen Splunk have no problem indexing it, but a user couldn't open it in notepad... why?

When a windows app creates an object for accessing/writing a file with the CreateFile() class, there are some options that it can open/create that file with. Those options are around sharing access to the file.

http://msdn.microsoft.com/en-us/library/aa363874.aspx

I'm just going to guess... that Exchange uses CreateFile() and has sharing set to "FILE_SHARE_READ". I'm also going to guess when notepad uses CreateFile() --which is also used for opening a file, it tries to get GENERIC_WRITE privs on a file...

As engineering has verified for me, when Splunk uses CreateFile() to access a file, it first tells Windows it would like "GENERIC_READ" on the file and options that basically allow reading, writing, or deleting by other apps. Splunk is going to do its best to open the file, not lock it in anyway, but if other apps need to open that file as well, no problem.

If i am right about how Notepad opens a file with GENERIC_WRITE, then thats why is why Splunk can read it.. when Notepad cant.

More about file access: http://msdn.microsoft.com/en-us/library/aa364399(VS.85).aspx

In most cases where Splunk cannot read a logfile it is sadly a failure of the app developer who has chosen to not share read access to the log file while its being written.

Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎06-20-2011 03:19 PM

The short version is the logging application has to open the file with FILE_SHARE_READ, and if it doesn't, there's nothing anyone else can do to read the file, including Splunk.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...