Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is Splunk forwarder locking file

damucka
Builder
‎11-04-2019 01:40 AM

Hello,

We have the issue with the Splunk forwarder, which we would like to understand. We monitor one of the directories for the pattern dev_*. The point is that there is a file there, dev_tp_23480, which is created, then deleted, then again created from the application side.
The issue is that apparently Splunk sets a lock and the second creation of the file by the application is not possible anymore, we get an error.
After Splunk forwarder gets switched off, all runs fine again, the dev_tp_23480 can be created. So the issue has definitely something to do with Splunk.

We do not need this file actually in Splunk, so I have set the blacklist on dev_tp as a workaround, but I am really curious to understand the root cause as it can have an impact on several landscapes.

Also, we took a trace of the file accesses (please see picture / attachment) and we clearly see that the splunkd is accessing/checking this file with really high frequency.
Actually, from the configuration interval (15 sec) I would expect splunkd checking files only 15 sec.
Do I understand it wrong?
And if splunkd checks the files in the realtime, isn't it a bit resource intensive? Can it be parametrized? (frequency)

Kind Regards,
Kamil

alt text

file-access-trace.png
Preview file
90 KB
Reply

manjunathmeti
Champion
‎11-04-2019 11:18 PM

Best thing is not to monitor the file itself. As per my understanding there is no interval control over file monitoring, it is only there for modular and scripted inputs.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Top