Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Best Practice for Large Directory of Files

chrisboy68
Contributor
‎08-20-2015 11:41 AM

Hi,

I have some very large directorys. Here is my input.conf

[monitor://\\server\folder]
disabled = false
host = myhost
index = mylogs
sourcetype = mytasks
ignoreOlderThan = 2d
whitelist = (MYTasks\[EXPORT.*.log|MYTasks\[IMPORT.*.log)

When I check the number of files (Data inputs » Files & directories), I see 3840 files. Because of the Whitelist and modtime, most are ignored. Question, is this common? Seems inefficient for Splunk to monitor "skipped" files, I'm not sure if it has to re-read/touch these at every restart. I get a ton of files listed in "services/admin/inputstatus/TailingProcessor:FileStatus". If this is normal I'll move on, just trying to make sure my instance is performing optimally.

Thank you,

Chris

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎08-20-2015 01:01 PM

If you cannot remove the files where they are, you are eventually going to have so many files for Splunk to dig through that the forwarder will be hopelessly slow in locating new events. The best way to handle it is to remove files that Splunk is not interested in or which Splunk has forwarded and will never update (check out the batch input type). If this cannot be done, then you can have Splunk monitor a different directory and you write a script and schedule it on a cron job so that it creates (and removed) soft links for the files that Splunk needs to watch.

0 Karma
Reply

chrisboy68
Contributor
‎08-21-2015 10:24 AM

Thank you for your reply. This made me dig more and I noticed that some directory's were being archived. Then with more reading I saw 

recurse = [true|false]
* If true, recurse directories within the directory specified in [fschange].
* Defaults to true.

Hence, changing recurse=false, really reduced the i/o read time.

Thanks!

Chris

0 Karma
Reply

woodcock
Esteemed Legend
‎08-24-2015 06:52 AM

Yes, I would have suggested this if you had a said anything about subdirectories. It works very well.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...