Windows Forwarder - Unable to rotate/delete log fi...

mcrawford44 · ‎07-29-2016

Has anyone run into this before? I'm unable to rotate logs due to files being opened by the forwarder. The files have not changed in several days. No new events, nothing. Shouldn't Splunk sleep or let go of the file?

martin_mueller · ‎07-30-2016

Maybe... though if you intend to delete the file very soon after it's been written and you have delayed forwarding, you may already be deleting it before the forwarder even starts to get a handle on the file.

As an alternative, you can see what happens if you set ignoreOlderThan=3d or something similar in inputs.conf - the forwarder might let go of the file entirely by then.

ddrillic · ‎07-29-2016

Similar case at On windows, I sometimes get an error during log rotation if splunk is monitoring that file; what's t...

martin_mueller · ‎07-29-2016

Have you tried the special Windows-only [MonitorNoHandle://<path>] in inputs.conf?

mcrawford44 · ‎07-30-2016

Won't this allow deletion of a file that is not completely indexed yet?

Windows Forwarder - Unable to rotate/delete log file. Handle open by splunkd.exe?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Join the Conversation