I have a Splunk Universal Forwarder running on Windows 2012, monitoring a bunch of files in different folders. The files are monitored fine, until the next day, when they stop. No idea why. The files are in the format
Here are some examples:
My inputs looks like this:
[monitor://D:\productionscriptdata\vmhost_config\VMHostConfig_*.txt] index = distributed sourcetype = vmhostconfig followTail = 0 crcSalt = <SOURCE> ignoreOlderThan = 7d
Are the files older than the 7d limit? I know that's too easy 😞
Was there anything in the
splunkd.log corresponding to that monitor input? You can turn on debug mode for that component (http://docs.splunk.com/Documentation/Splunk/6.3.2/Troubleshooting/Enabledebuglogging ), or restart splunk on that forwarder with debug mode by running
./splunk restart --debug (although I think it no longer exists for windows forwarders - i forget)
What technology generates the new files? Might be worth seeing if other folks have had issues with that and splunk?
Some may suggest the
alwaysOpenFile setting but I say wait until support has you implement that because of the performance issues.
That said, if you can't find evidence of this, nor any blocking within metrics.log, you should consider a support ticket as it sounds like the feature is not working as documented/expected.
Do these files all happen to have the same headers? Sometimes if the header length is over the default of 256bytes, Splunk won't recognize a rolled file. Check the inputs.conf spec for :
initCrcLength = <integer>
Change that to a larger value..