Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why is Splunk forwarder locking file

damucka
Builder
‎11-04-2019 01:40 AM

Hello,

We have the issue with the Splunk forwarder, which we would like to understand. We monitor one of the directories for the pattern dev_*. The point is that there is a file there, dev_tp_23480, which is created, then deleted, then again created from the application side.
The issue is that apparently Splunk sets a lock and the second creation of the file by the application is not possible anymore, we get an error.
After Splunk forwarder gets switched off, all runs fine again, the dev_tp_23480 can be created. So the issue has definitely something to do with Splunk.

We do not need this file actually in Splunk, so I have set the blacklist on dev_tp as a workaround, but I am really curious to understand the root cause as it can have an impact on several landscapes.

Also, we took a trace of the file accesses (please see picture / attachment) and we clearly see that the splunkd is accessing/checking this file with really high frequency.
Actually, from the configuration interval (15 sec) I would expect splunkd checking files only 15 sec.
Do I understand it wrong?
And if splunkd checks the files in the realtime, isn't it a bit resource intensive? Can it be parametrized? (frequency)

Kind Regards,
Kamil

alt text

Preview file
90 KB
Reply

manjunathmeti
Champion
‎11-04-2019 11:18 PM

Best thing is not to monitor the file itself. As per my understanding there is no interval control over file monitoring, it is only there for modular and scripted inputs.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...