Sometimes get a TailReader ERROR on monitoring a f...

adamsmith47 · ‎06-13-2018

I have a Windows 2008 R2 server with a Splunk UF v6.6.7 installed.

We are monitoring many files on this server. Occasionally our data looks weird, and we come to find out a file wasn't indexed as we'd expect. Today a file wasn't indexed properly, so I looked at the logs, sure enough there is a TailReader ERROR. I'm sure restarting the Splunk UF will resolve (this is how we've fixed it before), but I'd REALLY love to know why this is happening, and prevent it.

Scrubbed btool of the inputs.conf stanza:

[monitor:D:\Logs\<my_folder>]
_rcvbuf = 1572864
crcSalt = <SOURCE>
disabled = false
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 0
host = <my_host>
ignoreOlderThan = 14d
index = <my_index>
sourcetype = <my_sourcetype>
whitelist = <my_filename_prefix>.+\.csv

Scrubbed log from today when file wasn't indexed:

06-13-2018 15:17:22.014 -0400 ERROR TailReader - error from read call from 'D:\Logs\<my_folder>\<my_filename_prefix>_06-13-2018.csv'.

Any help is greatly appreciated! Thank you!
Adam

cpetterborg · ‎06-13-2018

Just shooting from the hip here, but we are talking about Windows. If there is a process actively writing to a file on Windows, it may have a read error due to the nature of how Windows can completely lock a file. Is this happening consistently on that file? I don't know if this would then prevent continued processing of the file, but it could be something to look into.

Sometimes get a TailReader ERROR on monitoring a file. Why?

Streamline Data Ingestion With Deployment Server Essentials

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

Introduction to Splunk AI