Hello,
My company uses splunk. Our splunk logs reach size in excess of 50+ GB. At midnight splunk compresses this file and then creates a new log file to write data too. That compression takes almost an hour or two hence no data is written since the new file is not created.
What configurations do I need to change so that Splunk will create the new log file and then write data to it, while it compresses the previous days log file?
Sincerely,
User
Splunk is not compressing and rotating your log files - unless someone wrote a script and added it to Splunk, which is unlikely.
Usually, on Linux, people use cron + the logrotate command to do this.
I recommend:
1 - rotate the log files more frequently. Try to keep the size down to 10Gb or less. Usually, you can specify a time-based or a size-based parameter to the log file rotation software.
2 - do not immediately compress the rolled log. If xyz.log rolls to xyz.log.1, do not compress it. Compress xyz.log.2 instead. This will allow Splunk to finish indexing the xyz.log.1 file before it is compressed
3 - blacklist the compressed files (*.gz or whatever) so that Splunk does not look at them, otherwise it may duplicate events.
This will also give you smaller log files, so that the compression should run faster. When you are re-configuring your log rotation software, be sure to make sure it is running regularly. If you are using cron, change the run interval from daily to hourly.