- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- [RESOLVED] Forwarder stops at midnight on Windows ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have Splunk Universal Forwarders on 4 Windows 2012R2 servers, monitoring the DHCP server logs with this stanza:
[monitor://Z:\dhcp\logs]
disabled = 0
sourcetype = DhcpSrvLog
whitelist = DhcpSrvLog*
crcSalt = <SOURCE>
initCrcLength = 2000
That works when I started the forwarder. But I found that the forwarder stopped sending new logs to my indexers at midnight sharp, which I don't know if it has something to do with the fact that the log for today has a timestamp of midnight yesterday:
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 2/4/2015 12:00 AM 146695986 DhcpSrvLog-Tue.log
-a--- 2/4/2015 12:00 AM 138881102 DhcpSrvLog-Wed.log
At that point, I added an "alwaysOpenFile = 1" item in the stanza to see if that solves the problem. But I came in this morning to find that it had changed nothing whatsoever.
Soooo, what else can I do to handle this Microsoft beast?
[Edit]: Not sure if (or how) this could be a factor: The folder in the monitor stanza "Z:/dhcp/logs" is a Windows symbolic link to a folder "E:/dhcp/logs_<HOSTNAME>" -- those forward slashes (/) are replacement of back slashes in Windows, of course.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, my monitor stanza actually did work.
I guess I wasn't patient enough after I put in "alwaysOpenFile = 1", which I believe is what made Splunk deal with the log file rotation correctly, in combination with "initCrcLength = 2000".
I don't believe that "*crcSalt = *" is needed in this case but I am not going to change the stanza at this point as that does no harm either.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, my monitor stanza actually did work.
I guess I wasn't patient enough after I put in "alwaysOpenFile = 1", which I believe is what made Splunk deal with the log file rotation correctly, in combination with "initCrcLength = 2000".
I don't believe that "*crcSalt = *" is needed in this case but I am not going to change the stanza at this point as that does no harm either.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
