Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

No data logged during log rotation. How to configure Splunk to create the new log file and write data to it while compressing the previous day's log file?

pranavrao
New Member
‎02-12-2015 02:43 PM

Hello,

My company uses splunk. Our splunk logs reach size in excess of 50+ GB. At midnight splunk compresses this file and then creates a new log file to write data too. That compression takes almost an hour or two hence no data is written since the new file is not created.

What configurations do I need to change so that Splunk will create the new log file and then write data to it, while it compresses the previous days log file?

Sincerely,
User

0 Karma
Reply

lguinn2
Legend
‎12-04-2015 12:12 PM

Splunk is not compressing and rotating your log files - unless someone wrote a script and added it to Splunk, which is unlikely.
Usually, on Linux, people use cron + the logrotate command to do this.

I recommend:
1 - rotate the log files more frequently. Try to keep the size down to 10Gb or less. Usually, you can specify a time-based or a size-based parameter to the log file rotation software.
2 - do not immediately compress the rolled log. If xyz.log rolls to xyz.log.1, do not compress it. Compress xyz.log.2 instead. This will allow Splunk to finish indexing the xyz.log.1 file before it is compressed
3 - blacklist the compressed files (*.gz or whatever) so that Splunk does not look at them, otherwise it may duplicate events.

This will also give you smaller log files, so that the compression should run faster. When you are re-configuring your log rotation software, be sure to make sure it is running regularly. If you are using cron, change the run interval from daily to hourly.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...