Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Issue with log rotation

maniu1609
Path Finder
‎12-12-2017 07:14 AM

We have log files that are being monitored. Log files are deleted every 1 hour. We noticed that at the time of log rotation happens, some of the events are missed to indexed in splunk. How can I fix issue so that we don’t miss any data.

0 Karma
Reply

micahkemp
Champion
‎12-12-2017 07:22 AM

What does your monitor stanza look like, and how are you rotating (filename, compression, etc)?

0 Karma
Reply

maniu1609
Path Finder
‎12-13-2017 12:34 AM

we have log file aaa.log and if the log file is older than 1hr, then file will be deleted. File monitor stanza just has index, sourcetype and host_regex details alone.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-12-2017 07:21 AM

Hi maniu1609,
the easiest way (if possible) should be to rotate logs in a different file so you can read the last logs in the new file, after a few time (1 or 2 minutes) you can delete it, because the problem is that logs between the last Splunk ingestion and deletion (max 30 seconds) are missed.
If it isn't possible you can reduce Forwarder read interval but anyway you lose something.

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...