All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can Splunk read Windows log file data based on file size change alone?

john_goody_bt
Engager
‎02-06-2014 04:43 AM

Q: Is there a simple solution that would enable Splunk to index log file changes on Windows 2008 as they happen?

The Problem:
An application that writes text log files has recently been moved from Windows 2003 to (64 bit) Windows 2008 and we have been retesting it. Microsoft appear to have changed the behaviour of the file system descriptors.

On Windows 2003, Splunk 5.0.2 had been monitoring these log files and indexing log file data lines as they changed.

On Windows 2008, while the Log File Size increases, the modification date+time is remaining unchanged until the text log file closes (at end of day). Splunk 5.0.2 is no longer able to index log file changes as they happen, but only when the file is closed by the application - and at which point the modification date is updated.

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-07-2014 09:29 AM

You can give alwaysOpenFile=1 a shot, see http://docs.splunk.com/Documentation/Splunk/6.0.1/Admin/Inputsconf for more info.

Reply

john_goody_bt
Engager
‎02-07-2014 11:40 AM

Thanks - this suggestion helps somewhat.

Tried as suggested and bouncing Splunk, but the indexed data did not change. When I also updated "ignoreolderthan" to go back beyond the Windows last modification date of the log file and again bounced Splunk, then everything in the log file got read in.

However, since then the monitored log file has again been updated (file size has grown, I can view the changed content in Notepad, etc.) but the modification date is still unchanged - and those additional lines have not been indexed by Splunk.

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...