Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I'm testing splunk, and when I edit my logfiles, splunk doesn't notice the changes. Why?

jrodman
Splunk Employee
Splunk Employee
‎04-17-2010 01:52 AM

I have a test logfile I fed into Splunk:

Apr 13 10:41:16 support05 kernel: [1815783.556088] usb 2-1: new full speed USB device using uhci_hcd and address 32 Apr 13 10:41:16 support05 kernel: [1815783.699049] usb 2-1: not running at top speed; connect to a high speed hub

and so on.

Splunk consumed the file just fine.

Then I opened the file and overwrote some text in the middle of the file. Splunk ignored my changes. Why didn't splunk re-index those lines?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-17-2010 07:25 AM

By default, Splunk detects changes in files by first checking the modification time.

  • If that has changed, it checks the first 256 bytes of the file
    • If that is different from the last time it saw the file, it will index the file from the beginning.
    • If it is the same as the last time it saw the file, it will check the last 256 bytes of the file.
      • If it has changed, Splunk will index new events from the point that previously read.

Thus, if you change the file in the middle, Splunk may detect the modification times, but will not see any change at the beginning or end of the file, and therefore will index any part of the file anew.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-17-2010 07:25 AM

By default, Splunk detects changes in files by first checking the modification time.

  • If that has changed, it checks the first 256 bytes of the file
    • If that is different from the last time it saw the file, it will index the file from the beginning.
    • If it is the same as the last time it saw the file, it will check the last 256 bytes of the file.
      • If it has changed, Splunk will index new events from the point that previously read.

Thus, if you change the file in the middle, Splunk may detect the modification times, but will not see any change at the beginning or end of the file, and therefore will index any part of the file anew.

Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎04-17-2010 08:08 AM

Er, if the last place it was in the file changed, it reindex the whole file too. If they both match and there's new data, it starts from that offset. 😉

0 Karma
Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎04-17-2010 08:07 AM

Fwiw, in 4.1 it's changes in modification time or file size.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...