Getting Data In

Why is Splunk forwarder locking file

damucka
Builder

Hello,

We have the issue with the Splunk forwarder, which we would like to understand. We monitor one of the directories for the pattern dev_*. The point is that there is a file there, dev_tp_23480, which is created, then deleted, then again created from the application side.
The issue is that apparently Splunk sets a lock and the second creation of the file by the application is not possible anymore, we get an error.
After Splunk forwarder gets switched off, all runs fine again, the dev_tp_23480 can be created. So the issue has definitely something to do with Splunk.

We do not need this file actually in Splunk, so I have set the blacklist on dev_tp as a workaround, but I am really curious to understand the root cause as it can have an impact on several landscapes.

Also, we took a trace of the file accesses (please see picture / attachment) and we clearly see that the splunkd is accessing/checking this file with really high frequency.
Actually, from the configuration interval (15 sec) I would expect splunkd checking files only 15 sec.
Do I understand it wrong?
And if splunkd checks the files in the realtime, isn't it a bit resource intensive? Can it be parametrized? (frequency)

Kind Regards,
Kamil

alt text

manjunathmeti
Champion

Best thing is not to monitor the file itself. As per my understanding there is no interval control over file monitoring, it is only there for modular and scripted inputs.

0 Karma
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...