Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Splunk Forwarder behavior
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Two questions:
Does Splunk forwarder maintain some kind of log files (or for that matter anything) which might keep growing in size and hog disk space.
How does Splunk forwarder reads a file. Does it keeps the file open or it periodicaly opens them and then closes them. We want to understand whether Splunk forwarder will be invisible to our own processes of deleting older files and wont disrupt existing processes by keeping open handles to the files?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes Splunk forwarders have log files. They are located at
\SplunkUniversalForwarder\var\log\splunk. The two most active ones are metrics.log and splunkd.log, metrics usually grows at a constant rate while splunkd will grow fast if there are errors that go unfixed. By default these files will grow to 25mb and then will be renamed to metrics.log.1, metrics.log.2, metrics.log.3, etc... by default this will go until 5 such files are present and then will start to delete the oldest one. Thus they can take up anywhere from 125mb to 150mb for each log type (though again, only metrics.log will get constant activity, on our average forwarder after 6 months of use all the other log files combined are less then 1mb). This log size and the amount of rollover files is adjustable in the $SPLUNK_HOME/etc/log.cfg configuration file so it is really up to you how much space they use.Check out Dwaddle's response to this question for more insight but I am not confident enough in the internal workings to give a more detailed answer. But Splunk seems to do both depending on how fast the file is being modified.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes Splunk forwarders have log files. They are located at
\SplunkUniversalForwarder\var\log\splunk. The two most active ones are metrics.log and splunkd.log, metrics usually grows at a constant rate while splunkd will grow fast if there are errors that go unfixed. By default these files will grow to 25mb and then will be renamed to metrics.log.1, metrics.log.2, metrics.log.3, etc... by default this will go until 5 such files are present and then will start to delete the oldest one. Thus they can take up anywhere from 125mb to 150mb for each log type (though again, only metrics.log will get constant activity, on our average forwarder after 6 months of use all the other log files combined are less then 1mb). This log size and the amount of rollover files is adjustable in the $SPLUNK_HOME/etc/log.cfg configuration file so it is really up to you how much space they use.Check out Dwaddle's response to this question for more insight but I am not confident enough in the internal workings to give a more detailed answer. But Splunk seems to do both depending on how fast the file is being modified.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
Keep the Learning Going with the New Best of .conf Hub
