Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to ensure logs generated during Universal Forwarder upgrade are not lost or duplicated?

cboillot
Contributor
‎05-22-2017 09:24 AM

We are about to upgrade several hundred Universal Forwarders (UF) in our environment. We want to make sure that any logs that were generated during the upgrade of the UF would not be lost or duplicated. I did find info on current_only, however it seem this is only for the Windows Event Log Monitor, and not the MONITOR:.

Is there anything we need to make sure we have in place?

How will the UF know where the old version left off?

I have tried to look this up, but with all the posts just named Universal Forwarder, I could have overlooked if this has been asked before.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gjanders
SplunkTrust
SplunkTrust
‎05-22-2017 04:06 PM

What you are referring to is inbuilt Splunk functionality, as per Monitor files and directories

When the Splunk server is restarted,
it continues processing files where it
left off. It first checks for the file
or directory specified in a monitor
configuration. If the file or
directory is not present on start,
Splunk Enterprise checks for it every
24 hours from the time of the last
restart. The monitor process scans
subdirectories of monitored
directories continuously.

Effectively Splunk keeps a checkpoint of where it got to in a file in the fishbucket (an internal filestore within the forwarder), so unless your wiping out the Splunk installation directory an upgrade will not cause any issues as the files will not be deleted by upgrades.

You do have some controls around determining if the file has been seen before in the inputs.conf , in particular refer to initCrcLength . You only need to adjust this if you see issues in the splunkd.log from the forwarder, by default this functionality should just work!

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

View solution in original post

Reply
Solved! Jump to solution
Solution

gjanders
SplunkTrust
SplunkTrust
‎05-22-2017 04:06 PM

What you are referring to is inbuilt Splunk functionality, as per Monitor files and directories

When the Splunk server is restarted,
it continues processing files where it
left off. It first checks for the file
or directory specified in a monitor
configuration. If the file or
directory is not present on start,
Splunk Enterprise checks for it every
24 hours from the time of the last
restart. The monitor process scans
subdirectories of monitored
directories continuously.

Effectively Splunk keeps a checkpoint of where it got to in a file in the fishbucket (an internal filestore within the forwarder), so unless your wiping out the Splunk installation directory an upgrade will not cause any issues as the files will not be deleted by upgrades.

You do have some controls around determining if the file has been seen before in the inputs.conf , in particular refer to initCrcLength . You only need to adjust this if you see issues in the splunkd.log from the forwarder, by default this functionality should just work!

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply
Solved! Jump to solution

cboillot
Contributor
‎05-23-2017 06:08 AM

Thank you! This is what I thought, but was asked to get verification.

0 Karma
Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎05-23-2017 04:33 PM

Not a problem, you can send feedback to the documentation team if it is not clear enough, they are usually happy to take feedback...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...