Simple text file suddenly (but thoroughly) being i...

mikeely · ‎01-10-2012

I've got this little file Oracle appends a row to every hour, and it stopped being monitored mysteriously sometime around the last logrotate (near as I can tell). Now it's not updating, or updating haphazardly. Here's what the file looks like:

10-01-12:08:47:02,         0,         0,         2,         6,       106,         2
10-01-12:08:48:01,         0,         0,         2,         6,       106,         2
10-01-12:08:49:01,         0,         0,         2,         6,       106,         2

Heady stuff, I know. Anyhow, Splunk was indexing that file well enough and now it isn't. Currently, my inputs.conf stanza for it looks like this:

[monitor:///u01/app/oracle/db/tech_st/11.1.0/log/scriptout]

recursive = true

disabled=0

followTail=1

I've tried crcSalt to no avail. I even tried to disable followTail but in the log it said TailingProcessor: starting at offset whatever... and continued to not do what I wanted.

Is there a way to "reset" the entries resulting from this stanza and force a re-index? And why did it die?

woodcock · ‎06-01-2015

The short answer is: do not use followTail=1:
http://answers.splunk.com/answers/57819/when-is-it-appropriate-to-set-followtail-to-true.html

Simple text file suddenly (but thoroughly) being ignored

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Splunk Observability Metrics Cost Optimization

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation