Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Batch input for Windows preventing new file creati...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We want to set up a process that writes an application log to a batch input where Splunk will ingest the file and then delete it. The problem is the script that is creating the file is not being allowed to create the file with the following error. Each file is uniquely named. The batch input is for a directory.
PS C:\Users\sa-> C:\Users\sa\Desktop\Export_Server_Oper_Reg_Keys_v1.ps1
Add-Content : The process cannot access the file 'C:\Temp\windows_reg_export\regxprt2016-06-24_14.59.txt' because it is being used by another process.
At C:\Users\sa-\Desktop\Export_TU_Server_Oper_Reg_Keys_v1.ps1:63 char:1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : WriteError: (C:\Temp\windows...06-24_14.59.txt:String) [Add-Content], IOException
+ FullyQualifiedErrorId : GetContentWriterIOError,Microsoft.PowerShell.Commands.AddContentCommand
The script only works if the Splunkforwarder service is stopped. I have never seen this behavior before. Any ideas? Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ended up writing a wrapper to execute the PS script and using a script input since we could not get this issue resolved. Could not figure how to fix the question above.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ended up writing a wrapper to execute the PS script and using a script input since we could not get this issue resolved. Could not figure how to fix the question above.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are having the same problem. What do you mean by "writing a wrapper to execute the PS script and using a script input" as the workaround?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The forwarder is locking the file. It's a resource race / contention issue.
Instead of using batch, use monitor with movePolicy=sinkhole.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tried that getting the error message - any other ideas?
The UF is running as a local admin and the script is being run as a local admin well.
Thanks
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
