Solved: What happens if a large log file being monitored h...

pkeller · ‎12-11-2015

If I'm monitoring a very large logfile

[monitor:///home/me/logs]
whitelist = (myApp)\.log$

/home/me/logs/myApp.log

And at some point, a process rotates the file to:

/home/me/logs/OLD/myApp.log

If the file hasn't fully been forwarded at the time of rotation ... will:

myApp.log be monitored in the new directory (assumed because OLD would be in scope for the monitored path)
myApp.log be monitored in its entirety, or will Splunk still know the offset that was last indexed

Thank you.

If

hortonew · ‎12-11-2015

Splunk keeps track of the offset via the fishbucket. Even if the file is moved, it should only index what it hasn't already indexed. So moving it to a different directory shouldn't be a problem.

View solution in original post

hortonew · ‎12-11-2015

Splunk keeps track of the offset via the fishbucket. Even if the file is moved, it should only index what it hasn't already indexed. So moving it to a different directory shouldn't be a problem.

What happens if a large log file being monitored hasn't fully been forwarded at the time of rotation?

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!

Are you a member of the Splunk Community?

What happens if a large log file being monitored hasn't fully been forwarded at the time of rotation?

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!