Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does data stop getting indexed after a log rotation?

Arkon
Explorer
‎07-29-2016 05:52 PM

Hi,

I noticed that, right after a log rotation, the data is not being indexed anymore.
Data is still going through /var/log/myapp.log and /var/log/messages (rsyslog UDP), so it all arrives on the machine (at 100%), but it is not being indexed.

On Splunk, I am monitoring logs arriving with real-time searches. Before log-rotate, everything is fine and logs are arriving on a regular basis. After logrotate, I do not get anything anymore.

Here is my inputs.conf:

[monitor:///var/log/myapp.log]
sourcetype = myappsourcetype
crcSalt = <SOURCE>
crcSalt = 2048
disabled = 0

My log rotate conf:

"/var/log/myapp.log" {
  monthly
  size 100M
  rotate 30
  compress
  postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2>/dev/null` &> /dev/null || true
  endscript
}

My sourcetype shouldn't be the problem as it only contains some side fields extractions.

Thank you very much in advance

Reply
1 Solution
Solved! Jump to solution
Solution

sjohnson_splunk
Splunk Employee
Splunk Employee
‎08-01-2016 06:14 PM

I have encountered the problem. Upon rotation the current logfile is moved and compressed. Then a new file is created with the same name. That is a problem since Splunk has the log file opened at the time of rotation, it seems to follow the old file (nothing else is written to it so you don't see any more data).

The solution is with your log rotate script. You either need to use the copytruncate option or else the postrotate/script option to restart the Splunk forwarder.

View solution in original post

Reply
Solved! Jump to solution

Arkon
Explorer
‎08-01-2016 04:12 PM

Thanks! So I removed crcSalt but it is still the same issue: I receive the logs but right after logrotate, they are not arriving anymore.

0 Karma
Reply
Solved! Jump to solution

twinspop
Influencer
‎08-01-2016 04:21 PM

Just to be clear... you restarted the forwarder after making this change?

0 Karma
Reply
Solved! Jump to solution

Arkon
Explorer
‎08-01-2016 04:45 PM

Yes I removed crcSalt and restarting splunk right after.
I then did a logrotate -f /var/log/myapp.log and then I could not see the new events anymore.

0 Karma
Reply
Solved! Jump to solution

twinspop
Influencer
‎08-01-2016 04:53 PM

What do the _internal logs say? Check with index=_internal host=yourhost myapp.log. You should see a series of logs there at the time you forced the log rotation.

0 Karma
Reply
Solved! Jump to solution

twinspop
Influencer
‎07-30-2016 07:08 PM

ddrillic: Ding!

0 Karma
Reply
Solved! Jump to solution

twinspop
Influencer
‎07-29-2016 06:07 PM

You very very very very likely do not want to use crcSalt. It's the truly rare log file that requires it.

0 Karma
Reply
Solved! Jump to solution

Arkon
Explorer
‎07-29-2016 06:01 PM

It looks like that deleting the file and restarting rsyslog fix the issue.
Does that mean the problem is coming from Rsyslog or Splunk "loosing his pointer" to the file?

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...