Windows Forwarder - Unable to rotate/delete log fi...

mcrawford44 · ‎07-29-2016

Has anyone run into this before? I'm unable to rotate logs due to files being opened by the forwarder. The files have not changed in several days. No new events, nothing. Shouldn't Splunk sleep or let go of the file?

martin_mueller · ‎07-30-2016

Maybe... though if you intend to delete the file very soon after it's been written and you have delayed forwarding, you may already be deleting it before the forwarder even starts to get a handle on the file.

As an alternative, you can see what happens if you set ignoreOlderThan=3d or something similar in inputs.conf - the forwarder might let go of the file entirely by then.

ddrillic · ‎07-29-2016

Similar case at On windows, I sometimes get an error during log rotation if splunk is monitoring that file; what's t...

martin_mueller · ‎07-29-2016

Have you tried the special Windows-only [MonitorNoHandle://<path>] in inputs.conf?

mcrawford44 · ‎07-30-2016

Won't this allow deletion of a file that is not completely indexed yet?

Windows Forwarder - Unable to rotate/delete log file. Handle open by splunkd.exe?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM