Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Monitor a File That's Being Purged Regularly

jepoyyyy
Explorer
‎08-29-2016 11:58 PM

Hi All,

I have a multi-tiered Splunk deployment and I am having some serious indexing lag from a remote host.

We have configured a forwarder to monitor a file that is being purged every 30 minutes. After the said interval, the contents of the file are being written in an archive directory. The problem is, we have a significant amount of lag before it becomes searchable in Splunk. We sometimes experience as far as 5 hour indexing lag from that particular source. Upon checking on it now, it is down to 45 minutes lag. So the lag varies from time to time.

We're pretty sure that it is not being caused by an undersized Splunk infrastracture because we are also collecting *nix stats (cpu, ram, disk, etc) and these events come in in near-realtime.

Upon checking the logs from the forwarder, we see this line from time to time.

WatchedFile - Checksum for seekptr didn't match, will re-read entire file="/some/file/name/file.log".

Is there an inputs.conf parameter that I should make use to monitor a file that is being flushed regularly?

Any help would greatly be appreciated.

Kindest regards,
Jeff

0 Karma
Reply

jepoyyyy
Explorer
‎10-10-2016 04:00 AM

I found the root cause of this already. The file that was being monitored was just too big for the default bandwidth limit of the forwarder.

I modified the maxKbps in limits.conf to adjust it and accommodate the volume.

I hope this helps someone someday.

Kindest regards,
Jef

0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...