How efficiently log files can be handled?

ansif · ‎10-16-2019

We have spotlight which can write logs to a file. How can we manage log file size in Linux and Windows OS?

Need to rotate log files in Linux and Windows without breaking events.

gcusello · ‎10-16-2019

Hi ansif,
sorry, but I don't understand your question: Splunk reads logs from files, if you need to rotate files isn't a Splunk problem, when you rotate a file Splunk will start to ingest logs from the new one without ingesting the old logs.

Ciao.
Giuseppe

ansif · ‎10-16-2019

Ya not a splunk problem. I am asking how can we ensure as a best practice from OS perspective to rotate logs and last event in the log file is not broken.

gcusello · ‎10-16-2019

Hi ansif,
as I said Splunk solves this problem because it reads the old file until it's rotated, then start to read the new one (probably with the same name) and doesn't read the old one.
Obviously if after rotation the new logs are in a file with a different name, you have to build your input in appropriate mode using *, e.g. if I have my files called myfile_2019_10_15.log, I have to use a monitor stanza like this:

[monitor:///tmp/my_logs/myfile_*.log]

Ciao.
Giuseppe

How efficiently log files can be handled?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!