I do a rotate sql log frequently. Splunk is monitoring my log files
There are sometime error on the SQL log file rotation process
Is it really the Splunk process that cause the issue?
It's hard to be certain based on the description provided, but this is PROBABLY a problem with creating a new logfile.
In Windows, if your program is writing out, say sql_logfile.log, and splunk is reading sql_logfile.log, a problem can arise during rotation, that goes like this:
There is no solution to this, short of rewriting Splunk data collection as a system call hook oriented tool, or a kernel driver. Both of which would greatly increase the risk of causing harm to the system while collecting information.
Generally speaking, the file semantics on Windows do not support rotating logs in this fashion. Renaming live files is problematic in a number of different ways. Thus most Windows-native apps will follow a strategy of creating files named for the time or date, and not renaming them. If that's an option for you I recommend it.
If it's not an option, you could try using the setting time_before_close = 0 on an input pointing at these files. That does not eliminate this problem, but should drastically shrink the time window during which splunk has the files open, making it occur less frequently.
@jrodman - Do you know if this is still relevant ~7 years later? We're currently trying to monitor a third-party system that rolls logs like this, and we seem to be running into the same issue. Is the workaround still the same?