Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Forwarder preventing application from logging

ebuljan
New Member
‎06-11-2018 02:34 PM

Our Splunk Forwarder on Windows Server is monitoring 2 folders containing approximately 1k log files total. I am ignoring the vast majority of the files. Each log file is fairly large, and is constantly being written to. Each one contains a day's worth of data, about 24k lines of text when the day is over.

When the Splunk Forwarder is on, the application that logs to it seems to skip logging intermittent lines of text. When it is off, all lines are logged.

Our inputs.conf file is very sparse:

[monitor://C:\Data\Import\log\*.log]
ignoreOlderThan = 2d 

[monitor://C:\Data\Export\log\*.log]
ignoreOlderThan = 2d

Any suggestions?

0 Karma
Reply

ebuljan
New Member
‎06-14-2018 12:31 PM

To clarify, Splunk is logging everything in the log files that it is monitoring, as expected.

But when the Splunk Forwarder is on, there are gaps in the log files.

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎06-11-2018 10:20 PM

Does this log file get written to the top (head) of the file, or appended to the end of the file?

Take a look at CRCSALT or or FollowTail options for inputs.conf.

See here : https://docs.splunk.com/Documentation/Splunk/7.1.1/Data/Howlogfilerotationishandled

0 Karma
Reply

ebuljan
New Member
‎06-14-2018 09:33 AM

Thanks for your response. They are being written to the bottom.

A new file with a new name is created every day, so it doesn't sound like the CRC or FollowTail options would help in this case: "Do not use followTail for rolling log files (log files that get renamed as they age)..."

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎06-11-2018 04:06 PM

It might be also worth to check for anti virus software doing things ....

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎06-11-2018 02:56 PM

Any pertinent information in the Windows Application logs?

0 Karma
Reply

ebuljan
New Member
‎06-14-2018 09:29 AM

Nothing special in there

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...