Re: Windows Forwarder - Unable to rotate/delete lo...

mcrawford44 · ‎07-29-2016

Has anyone run into this before? I'm unable to rotate logs due to files being opened by the forwarder. The files have not changed in several days. No new events, nothing. Shouldn't Splunk sleep or let go of the file?

martin_mueller · ‎07-30-2016

Maybe... though if you intend to delete the file very soon after it's been written and you have delayed forwarding, you may already be deleting it before the forwarder even starts to get a handle on the file.

As an alternative, you can see what happens if you set ignoreOlderThan=3d or something similar in inputs.conf - the forwarder might let go of the file entirely by then.

ddrillic · ‎07-29-2016

Similar case at On windows, I sometimes get an error during log rotation if splunk is monitoring that file; what's t...

martin_mueller · ‎07-29-2016

Have you tried the special Windows-only [MonitorNoHandle://<path>] in inputs.conf?

mcrawford44 · ‎07-30-2016

Won't this allow deletion of a file that is not completely indexed yet?

Windows Forwarder - Unable to rotate/delete log file. Handle open by splunkd.exe?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?