Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to monitor files with archiving policies

Zane
Explorer
‎09-20-2023 08:16 PM

I am currently encountering a problem where I have a log file that will be archived to another folder after reaching certain conditions. I have set up UF monitoring for both files, but the data collected may be duplicate. However, if I do not monitor the archive folder, some logs in the later positions will be lost in the file. I suspect it may be related to the file being archived too quickly? How to solve this problem

for example,my log file is abc.log, and then, it will be archived to current path /debug/abc.1.log, I have set the monitor for both files, but the data is duplicate, however,  if i do not monitor current path /debug/abc.1.log, i will lose the content at the end of the file.

 

 

Labels (4)
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-20-2023 11:33 PM

Hi @Zane,

you could put under monitoring both the folders.

If you don't use the crcSal = <SOURCE> option, Splunk read only the last events in the rotated file and doesn't index twice the logs event if tey have a different filename (Remember that the above option must to be not present!).

Otherwise, if you rename the file before rotating (adding e.g. the new data to the file name), you can delay the rotation (30/60 seconds are sufficient) so Splunk will read also the last event in the file before i's moved to the new folder.

Ciao.

Giuseppe

Reply

Zane
Explorer
‎09-21-2023 12:54 AM

Hi  @gcusello 

thanks for your answer,

but I can‘t control delayed the rotation, due to those log file not managed by us, so if it's possible,adjusting from the Splunk side would be great.

so as you said, "you can delay the rotation (30/60 seconds are sufficient) so Splunk will read also the last event in the file",  according to this, i found there is a parameter in inputs.conf, "time_before_close", it's 3 by default,  can i adjust this value so as to delay UF close monitored files?for example, set it as 30?

thanks so much.

\Zane

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-21-2023 01:45 AM

Hi @Zane,

no, this parameter is when you rotate a file on the same folder, but, if I correctly understood, yu move it in another folder.

The solution is to put under monitoring also the destination folder to tale only the events between the last read and the rotation, remembering that you cannot use crcSalt = <SOUCE> in your inputs.conf.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...