Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Monitor a File That's Being Purged Regularly

jepoyyyy
Explorer
‎08-29-2016 11:58 PM

Hi All,

I have a multi-tiered Splunk deployment and I am having some serious indexing lag from a remote host.

We have configured a forwarder to monitor a file that is being purged every 30 minutes. After the said interval, the contents of the file are being written in an archive directory. The problem is, we have a significant amount of lag before it becomes searchable in Splunk. We sometimes experience as far as 5 hour indexing lag from that particular source. Upon checking on it now, it is down to 45 minutes lag. So the lag varies from time to time.

We're pretty sure that it is not being caused by an undersized Splunk infrastracture because we are also collecting *nix stats (cpu, ram, disk, etc) and these events come in in near-realtime.

Upon checking the logs from the forwarder, we see this line from time to time.

WatchedFile - Checksum for seekptr didn't match, will re-read entire file="/some/file/name/file.log".

Is there an inputs.conf parameter that I should make use to monitor a file that is being flushed regularly?

Any help would greatly be appreciated.

Kindest regards,
Jeff

0 Karma
Reply

jepoyyyy
Explorer
‎10-10-2016 04:00 AM

I found the root cause of this already. The file that was being monitored was just too big for the default bandwidth limit of the forwarder.

I modified the maxKbps in limits.conf to adjust it and accommodate the volume.

I hope this helps someone someday.

Kindest regards,
Jef

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...