Re: Splunk stops indexing logs on daily basis

prateeksawhney · ‎06-15-2022

Hi All,

I need your urgent help in fixing one of the issue in my PROD environment.

we have an application log which rotates twice daily. once in the afternoon and once around midnight. Logs starts feeding in splunk when log rotates around afternoon and stops feeding when log rotates around midnight.

if we do some minor changes to inputs like adding any extra parameter to inputs.conf if starts feeding again and then stops again in few seconds.

This is my inputs.conf

[monitor:///var/log/logpath/logpath/xx*.log]
sourcetype = abcd
disabled = false
index = xyz

this is my props.conf

[abcd]
SHOULD_LINEMERGE=TRUE
BREAK_ONLY_BEFORE = \w\|\d+\|\d{2}:\d{2}:\d{2}\.\d{6}
MAX_TIMESTAMP_LOOKAHEAD = 15
NO_BINARY_CHECK = true
TIME_FORMAT = %H:%M:%S.%6N
TIME_PREFIX = \w.*\|\d*\|
category = Custom
disabled = false
pulldown_type = true
TRUNCATE=50000
MAX_EVENTS = 9999

Please let me know if any other information is required here. Any help here will be highly appreciated.

Thanks in advance

Prateek

gcusello · ‎06-15-2022

hi @prateeksawhney,

which are the names of the log files before and after rotation?

Ciao.

Giuseppe

prateeksawhney · ‎06-15-2022

XXX++-461-20211001-165550.log
XXX++-461-20211006-170000.log
XXX++-56551-20211210-113917.log
XXX++-61336-20220118-071748.log

This is the name of the logfile, logfile name keeps on changing everytime logfile rotates.

Why does Splunk stop indexing logs on daily basis?

heavy forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation