Solved: What happens if a large log file being monitored h...

pkeller · ‎12-11-2015

If I'm monitoring a very large logfile

[monitor:///home/me/logs]
whitelist = (myApp)\.log$

/home/me/logs/myApp.log

And at some point, a process rotates the file to:

/home/me/logs/OLD/myApp.log

If the file hasn't fully been forwarded at the time of rotation ... will:

myApp.log be monitored in the new directory (assumed because OLD would be in scope for the monitored path)
myApp.log be monitored in its entirety, or will Splunk still know the offset that was last indexed

Thank you.

If

hortonew · ‎12-11-2015

Splunk keeps track of the offset via the fishbucket. Even if the file is moved, it should only index what it hasn't already indexed. So moving it to a different directory shouldn't be a problem.

View solution in original post

hortonew · ‎12-11-2015

Splunk keeps track of the offset via the fishbucket. Even if the file is moved, it should only index what it hasn't already indexed. So moving it to a different directory shouldn't be a problem.

What happens if a large log file being monitored hasn't fully been forwarded at the time of rotation?

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

What happens if a large log file being monitored hasn't fully been forwarded at the time of rotation?

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...