Windows Forwarder - Unable to rotate/delete log fi...

mcrawford44 · ‎07-29-2016

Has anyone run into this before? I'm unable to rotate logs due to files being opened by the forwarder. The files have not changed in several days. No new events, nothing. Shouldn't Splunk sleep or let go of the file?

martin_mueller · ‎07-30-2016

Maybe... though if you intend to delete the file very soon after it's been written and you have delayed forwarding, you may already be deleting it before the forwarder even starts to get a handle on the file.

As an alternative, you can see what happens if you set ignoreOlderThan=3d or something similar in inputs.conf - the forwarder might let go of the file entirely by then.

ddrillic · ‎07-29-2016

Similar case at On windows, I sometimes get an error during log rotation if splunk is monitoring that file; what's t...

martin_mueller · ‎07-29-2016

Have you tried the special Windows-only [MonitorNoHandle://<path>] in inputs.conf?

mcrawford44 · ‎07-30-2016

Won't this allow deletion of a file that is not completely indexed yet?

Windows Forwarder - Unable to rotate/delete log file. Handle open by splunkd.exe?

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Are you a member of the Splunk Community?

Windows Forwarder - Unable to rotate/delete log file. Handle open by splunkd.exe?

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside