Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Log rotation for compressed files

asarolkar
Builder
‎06-15-2012 11:53 AM

We are using Splunk to monitor server.log file from a JBoss instance that rolls over daily (we use the logrotate utility to gz server.log daily)

The folder looks like this inside : 

//var/log

//server.log

//server.log.June-12.gz

//server.log.June-13.gz

//server.log.June-14.gz

//server.log.June-15.gz

//

We use the universal forwarder on this linux box to push data out to the indexer.

Currently: Our configuration in the inputs.conf on the forwarder side looks like this. 

[monitor://var/log/jboss_logs/server*]

disabled=0

index=os

sourcetype=serverlog

What this does unfortunately is that it gets the daily server.log (which its supposed to because of the server* wildcard) -- and then, everyday it indexes the uncompressed content of the server.*.gz files that are out there

Based on what is described here - apparently log rotation does not apply to the .gz and .tar file formats because they are treated as new files:

http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorFilesAndDirectories

Does this mean that we will definitely see duplicates ? Has anybody seen a problem like this previously ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

emiller42
Motivator
‎06-15-2012 01:45 PM

You can add whitelists/blacklists to your inputs.conf to filter out unwanted files:

blacklist = \.(gz)$

Should filter out anything in the folder with a .gz extension. (Or you could just whitelist .log files to get the same result. Depends on what else is in there)

http://docs.splunk.com/Documentation/Splunk/4.3.2/Data/Whitelistorblacklistspecificincomingdata

View solution in original post

Reply
Solved! Jump to solution
Solution

emiller42
Motivator
‎06-15-2012 01:45 PM

You can add whitelists/blacklists to your inputs.conf to filter out unwanted files:

blacklist = \.(gz)$

Should filter out anything in the folder with a .gz extension. (Or you could just whitelist .log files to get the same result. Depends on what else is in there)

http://docs.splunk.com/Documentation/Splunk/4.3.2/Data/Whitelistorblacklistspecificincomingdata

Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...