We want to set up a process that writes an application log to a batch input where Splunk will ingest the file and then delete it. The problem is the script that is creating the file is not being allowed to create the file with the following error. Each file is uniquely named. The batch input is for a directory.
PS C:\Users\sa-> C:\Users\sa\Desktop\Export_Server_Oper_Reg_Keys_v1.ps1 Add-Content : The process cannot access the file 'C:\Temp\windows_reg_export\regxprt2016-06-24_14.59.txt' because it is being used by another process. At C:\Users\sa-\Desktop\Export_TU_Server_Oper_Reg_Keys_v1.ps1:63 char:1 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : WriteError: (C:\Temp\windows...06-24_14.59.txt:String) [Add-Content], IOException + FullyQualifiedErrorId : GetContentWriterIOError,Microsoft.PowerShell.Commands.AddContentCommand
The script only works if the Splunkforwarder service is stopped. I have never seen this behavior before. Any ideas? Thanks!
The forwarder is locking the file. It's a resource race / contention issue.
Instead of using batch, use monitor with movePolicy=sinkhole.
tried that getting the error message - any other ideas?
The UF is running as a local admin and the script is being run as a local admin well.
Ended up writing a wrapper to execute the PS script and using a script input since we could not get this issue resolved. Could not figure how to fix the question above.
We are having the same problem. What do you mean by "writing a wrapper to execute the PS script and using a script input" as the workaround?