Re: How efficiently log files can be handled?

ansif · ‎10-16-2019

We have spotlight which can write logs to a file. How can we manage log file size in Linux and Windows OS?

Need to rotate log files in Linux and Windows without breaking events.

gcusello · ‎10-16-2019

Hi ansif,
sorry, but I don't understand your question: Splunk reads logs from files, if you need to rotate files isn't a Splunk problem, when you rotate a file Splunk will start to ingest logs from the new one without ingesting the old logs.

Ciao.
Giuseppe

ansif · ‎10-16-2019

Ya not a splunk problem. I am asking how can we ensure as a best practice from OS perspective to rotate logs and last event in the log file is not broken.

gcusello · ‎10-16-2019

Hi ansif,
as I said Splunk solves this problem because it reads the old file until it's rotated, then start to read the new one (probably with the same name) and doesn't read the old one.
Obviously if after rotation the new logs are in a file with a different name, you have to build your input in appropriate mode using *, e.g. if I have my files called myfile_2019_10_15.log, I have to use a monitor stanza like this:

[monitor:///tmp/my_logs/myfile_*.log]

Ciao.
Giuseppe

How efficiently log files can be handled?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation