Simple text file suddenly (but thoroughly) being i...

mikeely · ‎01-10-2012

I've got this little file Oracle appends a row to every hour, and it stopped being monitored mysteriously sometime around the last logrotate (near as I can tell). Now it's not updating, or updating haphazardly. Here's what the file looks like:

10-01-12:08:47:02,         0,         0,         2,         6,       106,         2
10-01-12:08:48:01,         0,         0,         2,         6,       106,         2
10-01-12:08:49:01,         0,         0,         2,         6,       106,         2

Heady stuff, I know. Anyhow, Splunk was indexing that file well enough and now it isn't. Currently, my inputs.conf stanza for it looks like this:

[monitor:///u01/app/oracle/db/tech_st/11.1.0/log/scriptout]

recursive = true

disabled=0

followTail=1

I've tried crcSalt to no avail. I even tried to disable followTail but in the log it said TailingProcessor: starting at offset whatever... and continued to not do what I wanted.

Is there a way to "reset" the entries resulting from this stanza and force a re-index? And why did it die?

woodcock · ‎06-01-2015

The short answer is: do not use followTail=1:
http://answers.splunk.com/answers/57819/when-is-it-appropriate-to-set-followtail-to-true.html

Simple text file suddenly (but thoroughly) being ignored

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor