Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Does a file monitor input work even if the log being monitored is open for writing by the application that manages it?

andrewtrobec
Motivator
‎11-12-2019 02:23 AM

Hello all,

As the title states, I'd like to know whether a file input continues to index a log even though that file is open for writing by the application that manages it. I'm busy evaluating whether to keep UFs on source systems with file inputs active, or whether it might be better to externalize those logs through a secondary process and index those to avoid performance issues.

Best regards,

Andrew

0 Karma
Reply

gaurav_maniar
Builder
‎11-12-2019 02:56 AM

Hi,

Splunk File Monitoring does not lock the file for writing while indexing the data.
The purpose of Monitoring is to read the files as soon as it gets new data, but it will not lock the file for writing by the application that modifying it.

If there are many source systems, instead of installing Splunk on all the system rather gather all the logs on central system by file transfer or other methods.
Now monitor all the logs from the Central system via Splunk.

Reply

andrewtrobec
Motivator
‎11-12-2019 03:09 AM

@gaurav_maniar Thanks for the reply! Follow-up question: can a Splunk UF forward new data added to a log even though that log is open for writing by the application that writes to it? Does the application have to release the write log for the Splunk UF to be able to forward new data?

0 Karma
Reply

gaurav_maniar
Builder
‎11-12-2019 04:32 AM

As long as the file permission are correct, Splunk will manage modification of files with insert of new lines, without particular configurations. Splunk automatically reads the modified files and forward the newly added logs.

Windows may prevent reading of open files. In that case you can add monitorNoHandle to your file monitor configuration. This Windows-only input lets you read files on Windows systems as Windows writes to them.
For more details - https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/Monitorfilesanddirectories

If the given information answers your all queries, please accept the answer to close the question.

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...