Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Forwarder doesn't monitor new files

IlianYotov
Loves-to-Learn
a month ago

Hello,

I need some help. 

I have a folder and an app that writes logs in NDJSON format and creates a new log file every 15 minutes. 

The configuration that I use is this:

 

[monitor:///Users/yotov/app/.logs/.../*.log]
disabled = false
sourcetype = ndjson
crcSalt = <SOURCE>
alwaysOpenFile = 1

 

 The problem is that Splunk Forwarder doesn't detect newly added files. It reads only the files at the start, and detects newly added content in them, but when a new file is added they are ignored until restart of Splunk Forwarder.

I'm using the latest version of Splunk Forwarder and tried under Linux and MacOs

What am I missing?

Labels (1)
Labels
0 Karma
Reply

IlianYotov
Loves-to-Learn
4 weeks ago

How Splunk detect a new file? Is it using polling or does it depend on Inotify in Linux for example?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
4 weeks ago 
splunk list monitor

and

splunk list inputstatus

are your friends here.

Also - crcSalt = <SOURCE> is a setting often used by newcomers to Splunk but in reality it's rarely needed (usually raising initCrcLength suffices).

alwaysOpenFile is most typically not needed. Leave it at default unless you're doing some weird stuff on Windows.

My suspicion would be that since you have many files (almost a hundred files for each day), you're running out of file descriptors.

0 Karma
Reply

IlianYotov
Loves-to-Learn
4 weeks ago

@PickleRick Yes rolling files every 15 minutes could produce hundreds of files, but my tests were executed with a very small number of files ( 10 - 20 ) and even with these files Splunk doesn't monitor the newly created. I will check the commands you wrote and hope to find what is the problem

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
a month ago

@IlianYotov - Just to clarify the path you are trying to look at is

/Users/yotov/app/.logs/.../*.log

  • Inside /Users/youtov/app
  • There is a hidden folder named ".log"
  • inside that, there are sub-folders
  • inside which there are files with .log extention at the end.

 

Also, is there any specific reason for using alwaysOpenFile parameter?

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf 

0 Karma
Reply

IlianYotov
Loves-to-Learn
4 weeks ago

Yes, and here is an example:

/Users/yotov/app/.logs/
- 1/
   - 2024-05-14/
      - 10_00_00.log
      - 10_15_00.log
      ( every 15 minutes a new file is created )
      - 15_00_00.log
- 2/
   - 2024-05-14/
      - 10_00_00.log
      - 10_15_00.log
     ....

About alwaysOpenFile - no, I tried with and without it. but nothing happens

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
a month ago

Hi @IlianYotov,

do new files have the same name of the previous or a different one?

did you checked without the "crcSalt = <SOUCE>" option?

Is it possible that the new files have the same content of the previous ones?

Ciao.

Giuseppe

0 Karma
Reply

IlianYotov
Loves-to-Learn
4 weeks ago

Hi @gcusello 

No, the new file has a different name ( the name is the time when they are generated ). The content of the files is not the same because they contain. I tried different options of crcSalt but nothing happened.

I also checked logs in $SPLUNK_FORWARDER/var/log/splunk/metrics.log but there are no logs about new files

0 Karma
Reply
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...