Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- how to index data from a log file which got genera...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello All,
i have a dumb question,
i have few servers which will have heavy traffic and with log files rotating for every few minutes. the problem i had, my forwarder was down for few mins in that down time log files got rotated and new file is generated and my forwarder is reading the current log file but when i search data for the time when my forwarder was down resulting in zero events. does it means i lost that data. if it is so then how should i read that data and for future purpose how should i address this problem.
here are my example log file names
webapp.log (currently written )
webapp.log.1 (rolled)
webapp.log.2 (rolled)
webapp.log.3 (rolled)
webapp.log.4 (rolled)
here are my inputs.conf
[monitor:///var/log/web/app/webapp.log]
index=main
sourcetype=web_application
Thanks for the help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Consider changing your input to:
[monitor:///var/log/web/app/webapp.log*]
index=main
sourcetype=web_application
If the logs are still in the folder this will capture them, but if the logs aren't on disk anymore I would imagine that the data is lost. The above configuration will help prevent this situation in the future. If you're concerned about duplicate events, consider that Splunk uses the data at the beginning of the file to determine if it's already read it, not the file name (by default).
There should be no negative effects from this change unless the star will match files you don't want to index. If that's the case you might want to review the whitelist and blacklist options on your input to fine tune what you capture:
http://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Inputsconf#MONITOR:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Consider changing your input to:
[monitor:///var/log/web/app/webapp.log*]
index=main
sourcetype=web_application
If the logs are still in the folder this will capture them, but if the logs aren't on disk anymore I would imagine that the data is lost. The above configuration will help prevent this situation in the future. If you're concerned about duplicate events, consider that Splunk uses the data at the beginning of the file to determine if it's already read it, not the file name (by default).
There should be no negative effects from this change unless the star will match files you don't want to index. If that's the case you might want to review the whitelist and blacklist options on your input to fine tune what you capture:
http://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Inputsconf#MONITOR:
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
