Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Forwarder Tail Fails

OldManEd
Builder
‎06-26-2014 09:16 AM

I have several forwarders that are release 4.3.2. The issue is that the log files they are configured to send to my indexers periodically rotate. For some reason Splunk will not send any more data when this happens. But, if I restart the forwarder, data starts coming in with no problems. The strange thing is that this only happens on some of the forwarders.

File permissions were checked and found to be OK.

The related errors in the splunkd.log file are;

06-14-2014 08:00:08.608 -0600 ERROR TailingProcessor - Ignoring path due to: failed to open for checksum: '/var/tmp/xxx/xxx.log' (No such file or directory)

06-14-2014 08:00:09.911 -0600 ERROR TailingProcessor - Unable to resolve path for symlink: /var/tmp/xxx/xxx.log.

Any ideas?

Reply
1 Solution
Solved! Jump to solution
Solution

the_wolverine
Champion
‎06-26-2014 10:39 AM

Splunk bugs go unreported (or undetected) often. I suggest upgrading to a later version of the forwarder, at least version 4.3.4 or 5.0.7 to see if you still encounter the issue.

View solution in original post

Reply
Solved! Jump to solution

scc00
Contributor
‎08-11-2015 08:51 AM

So I had the same issue. The fix was upping the permissions to the symlink. So check to see if the user for your splunk install can get to the full location and increase the permissions accordingly.

0 Karma
Reply
Solved! Jump to solution

kamaljagga
Path Finder
‎08-09-2019 10:42 AM

I am facing the same issue and my forwarder version is 4.2.6 and forwarder runs as root. Thinking of doing a clean re-install of forwarder.
If anyone found any other solution. Kindly advise.

Reply
Solved! Jump to solution
Solution

the_wolverine
Champion
‎06-26-2014 10:39 AM

Splunk bugs go unreported (or undetected) often. I suggest upgrading to a later version of the forwarder, at least version 4.3.4 or 5.0.7 to see if you still encounter the issue.

Reply
Solved! Jump to solution

Kawtar
Path Finder
‎08-19-2019 02:46 AM

I have the same problem, but the version is not the problem, how can we resolve that plz ?

0 Karma
Reply
Solved! Jump to solution

abonuccelli_spl
Splunk Employee
Splunk Employee
‎06-26-2014 10:06 AM

06-14-2014 08:00:09.911 -0600 ERROR
TailingProcessor - Unable to resolve
path for symlink:
/var/tmp/xxx/xxx.log.

can you actually resolve that symlink using ls?

tail /path/to/symlink

0 Karma
Reply
Solved! Jump to solution

OldManEd
Builder
‎06-26-2014 10:24 AM

Yes. The link is "/var/tmp/xxx/xxx.log -> /usr/xxx/yyy/AAA/work/xxx_aaa_99.log". From what I understand, the target of the link, in this case "/usr/xxx/yyy/AAA/work/xxx_aaa_99.log", is somehow "processed" and there is a period of about 1.0 to 1.5 seconds where it doesn't exist. But once the process is complete, everything functions correctly except the forwarder doesn't continue to tail the new file.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...