Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Log File Rotation causing new file to not ingest

TRobertshaw
New Member
‎01-31-2024 07:06 PM

We have a file that is rotated at midnight every night.  The file is renamed and zipped up. 

Sometimes after the log rotation Splunk does not ingest the new file.

There are no errors in the Splunkd log relating to crc or anything along those lines.

A restart of Splunk resolves the issue however we would like to find a more permanent solution.

We are on UF version, 9.0.4.

 

Appreciate any suggestions you may have

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-31-2024 11:32 PM

Are you sure that the file is _rotated_ (as in renamed and compressed)? Because that behaviour is pretty consistent with the "copytruncate" behaviour of logrotate when the contents of the file are copied out to a new file and the file is truncated afterwards. In such case the file descriptor does not change but Splunk suddenly finds itself after the end of the data so most probably assumes that it had already read all the data there was.

0 Karma
Reply

TRobertshaw
New Member
‎02-01-2024 02:58 PM

Is there a way to allow Splunk to refresh and review the new file everytime?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-01-2024 03:24 PM

You'd have to restart the forwarder service after logrotate. (Because I assume that's what you're using). Just like normally you kill -HUP your syslog daemon.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...