Getting Data In

Can Universal forwarder forward the delta changes from a file to splunk instance?

royimad
Builder

I need to know if a universal forwarder could send only the delta changes in a log or need to forward the hole log to the splunk instance.

0 Karma
1 Solution

kristian_kolb
Ultra Champion

As I answered you in a similar question, the forwarder will keep track on the how far into a file it has read, so that it can determine which events have been added since it last looked.

It will also be able to determine if a filed has been rotated, though in some circumstances you will have to make a few configuration changes to make the forwarder understand that it's looking at a new file.

See the "Getting Data In" section in the docs.
http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/Monitorfilesanddirectories
http://docs.splunk.com/Documentation/Splunk/latest/Data/Howlogfilerotationishandled

Hope this helps,

Kristian

View solution in original post

Ayn
Legend

It's the only behaviour - I don't understand how else it would work.

0 Karma

royimad
Builder

Thanks, So sending the delta is the default behavior?

0 Karma

kristian_kolb
Ultra Champion

As I answered you in a similar question, the forwarder will keep track on the how far into a file it has read, so that it can determine which events have been added since it last looked.

It will also be able to determine if a filed has been rotated, though in some circumstances you will have to make a few configuration changes to make the forwarder understand that it's looking at a new file.

See the "Getting Data In" section in the docs.
http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/Monitorfilesanddirectories
http://docs.splunk.com/Documentation/Splunk/latest/Data/Howlogfilerotationishandled

Hope this helps,

Kristian

Ayn
Legend

I think you need to clarify what your definition of those two cases are. Send only the delta when? Send the whole log when? Forwarders obviously will not send the whole log file each and every time an event is added to it.

Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...