Getting Data In

Why does my Splunk universal forwarder monitor stop processing files the next day after they roll over?

a212830
Champion

Hi,

I have a Splunk Universal Forwarder running on Windows 2012, monitoring a bunch of files in different folders. The files are monitored fine, until the next day, when they stop. No idea why. The files are in the format someUniqueIdentifier_hostname_MM-DD-YYYY_HHMMSS.txt.

Here are some examples:

VMHostConfig_ABCC002VWIN.FMR.COM_01-01-2016_012804.txt
VMHostConfig_ABCC002VWIN.FMR.COM_01-02-2016_012801.txt

My inputs looks like this:

[monitor://D:\productionscriptdata\vmhost_config\VMHostConfig_*.txt]
index = distributed
sourcetype = vmhostconfig
followTail = 0
crcSalt = <SOURCE>
ignoreOlderThan = 7d

Any suggestions?

0 Karma

prakash007
Builder

Check your splunkd.logs and metrics.log if you can find any errors.

0 Karma

sloshburch
Ultra Champion

Are the files older than the 7d limit? I know that's too easy 😞
Was there anything in the splunkd.log corresponding to that monitor input? You can turn on debug mode for that component (http://docs.splunk.com/Documentation/Splunk/6.3.2/Troubleshooting/Enabledebuglogging ), or restart splunk on that forwarder with debug mode by running ./splunk restart --debug (although I think it no longer exists for windows forwarders - i forget)

What technology generates the new files? Might be worth seeing if other folks have had issues with that and splunk?

Some may suggest the alwaysOpenFile setting but I say wait until support has you implement that because of the performance issues.

That said, if you can't find evidence of this, nor any blocking within metrics.log, you should consider a support ticket as it sounds like the feature is not working as documented/expected.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Do these files all happen to have the same headers? Sometimes if the header length is over the default of 256bytes, Splunk won't recognize a rolled file. Check the inputs.conf spec for :

initCrcLength = <integer>
  • This setting adjusts how much of a file Splunk reads before trying to identify whether it is a file that has already been seen. You may want to adjust this if you have many files with common headers (comment headers, long CSV headers, etc) and recurring filenames.

Change that to a larger value..

0 Karma

a212830
Champion

No, no headers. It's all unique, with timestamps.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...