Getting Data In

Why is Splunk unable to detect modified files when monitoring files on CIFS mount?

yannK
Splunk Employee
Splunk Employee

I have a CIFS mount from Azure on a server.
Then a Splunk forwarder monitoring the mounted folder.

I discovered that Splunk can detect the files when starting, but not later when a file is modified.

1 Solution

yannK
Splunk Employee
Splunk Employee

Explanation :

Folder modification time in MAFS (Microsoft Azure File System) is not updated ! Splunk is unable to properly monitor the folder as there's no change triggering ingestion of the new files. This is not a bug in Splunk, but limitation of the Azure File Storage ... even windows explorer and Azure web interface are showing creation time as the last modification date !

Full list of limitations can be found here:
https://docs.microsoft.com/en-us/rest/api/storageservices/fileservices/Features-Not-Supported-By-the...

The possible workarounds are :

  • manually update your file modification time, to force detection.
    The only workaround we were able to come up with (that actually works) was to update the destination folder last modification time manually
    (e.g. by using a script after uploading log files):
    PowerShell

    (Get-Item ).LastWriteTime = Get-Date

    • restart splunk on a regular basis
    • reload splunk inputs on a regular basis (not to often if you have too many files to scan each time) example : splunk _internal call /data/inputs/monitor/_reload -auth admin:changeme

Or not monitor Azure, and copy the files outside of the mount each time.

View solution in original post

yannK
Splunk Employee
Splunk Employee

Explanation :

Folder modification time in MAFS (Microsoft Azure File System) is not updated ! Splunk is unable to properly monitor the folder as there's no change triggering ingestion of the new files. This is not a bug in Splunk, but limitation of the Azure File Storage ... even windows explorer and Azure web interface are showing creation time as the last modification date !

Full list of limitations can be found here:
https://docs.microsoft.com/en-us/rest/api/storageservices/fileservices/Features-Not-Supported-By-the...

The possible workarounds are :

  • manually update your file modification time, to force detection.
    The only workaround we were able to come up with (that actually works) was to update the destination folder last modification time manually
    (e.g. by using a script after uploading log files):
    PowerShell

    (Get-Item ).LastWriteTime = Get-Date

    • restart splunk on a regular basis
    • reload splunk inputs on a regular basis (not to often if you have too many files to scan each time) example : splunk _internal call /data/inputs/monitor/_reload -auth admin:changeme

Or not monitor Azure, and copy the files outside of the mount each time.

yannK
Splunk Employee
Splunk Employee

An Ideas was opened on the subject, you can vote for it

https://ideas.splunk.com/ideas/EID-I-1341

 

Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...