Re: Windows Forwarder - Unable to rotate/delete lo...

mcrawford44 · ‎07-29-2016

Has anyone run into this before? I'm unable to rotate logs due to files being opened by the forwarder. The files have not changed in several days. No new events, nothing. Shouldn't Splunk sleep or let go of the file?

martin_mueller · ‎07-30-2016

Maybe... though if you intend to delete the file very soon after it's been written and you have delayed forwarding, you may already be deleting it before the forwarder even starts to get a handle on the file.

As an alternative, you can see what happens if you set ignoreOlderThan=3d or something similar in inputs.conf - the forwarder might let go of the file entirely by then.

ddrillic · ‎07-29-2016

Similar case at On windows, I sometimes get an error during log rotation if splunk is monitoring that file; what's t...

martin_mueller · ‎07-29-2016

Have you tried the special Windows-only [MonitorNoHandle://<path>] in inputs.conf?

mcrawford44 · ‎07-30-2016

Won't this allow deletion of a file that is not completely indexed yet?

Windows Forwarder - Unable to rotate/delete log file. Handle open by splunkd.exe?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation