Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Why is Splunk unable to detect modified files when monitoring files on CIFS mount?

yannK
Splunk Employee
Splunk Employee
‎01-10-2017 03:48 PM

I have a CIFS mount from Azure on a server.
Then a Splunk forwarder monitoring the mounted folder.

I discovered that Splunk can detect the files when starting, but not later when a file is modified.

Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎01-10-2017 03:51 PM

Explanation :

Folder modification time in MAFS (Microsoft Azure File System) is not updated ! Splunk is unable to properly monitor the folder as there's no change triggering ingestion of the new files. This is not a bug in Splunk, but limitation of the Azure File Storage ... even windows explorer and Azure web interface are showing creation time as the last modification date !

Full list of limitations can be found here:
https://docs.microsoft.com/en-us/rest/api/storageservices/fileservices/Features-Not-Supported-By-the...

The possible workarounds are :

  • manually update your file modification time, to force detection.
    The only workaround we were able to come up with (that actually works) was to update the destination folder last modification time manually
    (e.g. by using a script after uploading log files):
    PowerShell

    (Get-Item ).LastWriteTime = Get-Date

    • restart splunk on a regular basis
    • reload splunk inputs on a regular basis (not to often if you have too many files to scan each time) example : splunk _internal call /data/inputs/monitor/_reload -auth admin:changeme

Or not monitor Azure, and copy the files outside of the mount each time.

View solution in original post

Reply
Solved! Jump to solution

rokxer
Explorer
‎05-29-2025 01:12 AM

For linux systems you can execute touch on the folder that the logs reside in.

Location of files: /mnt/mymountedazurefile/myfolder/logfile.json
Mounted shared drive: /mnt/mymountedazurefile

Command: touch /mnt/mymountedazurefile/myfolder

Splunk detects the new files instantly. It is a better solution than restarting splunk service. 

We have a splunk server that has a mounted shared from Azure Files. All the app services in azure write to the same shared disk for log files.

This is a temporary solution until we migrate application logging to Azure Event Hub.



A useful commad for debuggin:
/opt/splunk/bin/splunk list inputstatus | grep <filename>

Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎01-10-2017 03:51 PM

Explanation :

Folder modification time in MAFS (Microsoft Azure File System) is not updated ! Splunk is unable to properly monitor the folder as there's no change triggering ingestion of the new files. This is not a bug in Splunk, but limitation of the Azure File Storage ... even windows explorer and Azure web interface are showing creation time as the last modification date !

Full list of limitations can be found here:
https://docs.microsoft.com/en-us/rest/api/storageservices/fileservices/Features-Not-Supported-By-the...

The possible workarounds are :

  • manually update your file modification time, to force detection.
    The only workaround we were able to come up with (that actually works) was to update the destination folder last modification time manually
    (e.g. by using a script after uploading log files):
    PowerShell

    (Get-Item ).LastWriteTime = Get-Date

    • restart splunk on a regular basis
    • reload splunk inputs on a regular basis (not to often if you have too many files to scan each time) example : splunk _internal call /data/inputs/monitor/_reload -auth admin:changeme

Or not monitor Azure, and copy the files outside of the mount each time.

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎02-03-2022 09:37 AM

An Ideas was opened on the subject, you can vote for it

https://ideas.splunk.com/ideas/EID-I-1341

 

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...