Re: is there a way to tail a file to index any new...

tantingli · ‎04-04-2010

I let splunk monitor a directory of files. I found when any file got changed splunk will reindex all events in the file, not just the new lines added. Is there a way to "tail" those files so splunk will reindex/import only the new lines instead of reloading all event in the files?

jrodman · ‎04-17-2010

Can you please consider modifying this question to clarify either what you were trying to do, or to inquire about the strange behavior you saw? The goal is for these to be informative to others.

tantingli · ‎04-04-2010

I found a solution:

[monitor:///LOGS/dtjlogs]
disabled = false
host =
host_regex =
host_segment = 3
index = default
sourcetype =

[monitor:///LOGS/dtjlogs/*/*.log]
disabled = false
host =
host_regex =
host_segment = 3
index = default
sourcetype =
followTail = 1

actually the two [monitor] are monitoring same files The only difference is the followTail=1 I found if I name the two monitor the same, only the first stanza works So just work-around by naming them slightly different. Now any new files will be picked up by the followTail=0 stanza and appended(tailing) events will be picked up by followTail=1 stanza. Ha, what a solution.

jrodman · ‎04-05-2010

In 4.1, overlapping stanzas are supported, in this case, the .log files in subdirectories are handled by the second stanza, while the other files are handled by the first.

jrodman · ‎04-05-2010

Don't rely too much on this. The behavior for overlapping inputs like this is not well explored in 4.0. I suspect just the followtail stanza is needed, but you may not have been testing the file modification in a realistic way.

Be sure to replace the contents with new contents, rather than modifying a few lines in the middle. Also in 4.0, be prepared to be somewhat patient. In 4.1, the requirement for patience is much reduced.

the_wolverine · ‎04-04-2010

Yes, the followTail setting tells Splunk to index only new events in a monitored file:

followTail = 0|1

If set to 1, monitoring begins at the end of the file (like tail -f).

This only applies to files the first time they are picked up. * After that, Splunk's internal file position records keep track of the file.

http://www.splunk.com/base/Documentation/4.0.10/Admin/Monitorfilesanddirectories#Monitor_syntax_and_...

jrodman · ‎04-17-2010

Agree with Tina, problem 1 is not known, and probably does not occur. When manually testing monitor behavior, it's easy to not trigger reindexing, because splunk looks for the behavior of real logging programs (the whole file is changed, not just portions).

Problem 2 is known. Followtail's implementation assumes that you roll existing files rather than add new ones. You could use followtail on specific individual file paths to avoid this problem.

the_wolverine · ‎04-07-2010

From my testing, it looks like followTail is working. Files in subdirectories of the configured monitor input directory are properly recognized when If it is not working for you, please submit a ticket to support and provide your test case.

tantingli · ‎04-04-2010

Thanks! I tried it and it works for tailing the file.
But I found two problems:
1. say if I have 1.log in the directory. adding new lines works fine. but if I overwrite the existing content with new events then it won't get import/indexed.
2. if I copy another file to this directory called 2.log. That file won't get picked up automatically.

These 2 problems were not there without followTail=1.

is there a way to tail a file to index any new changes?

Fastest way to demo Observability

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

Are you a member of the Splunk Community?

is there a way to tail a file to index any new changes?

Fastest way to demo Observability

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps