Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- Re: Best Practice for Large Directory of Files
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Best Practice for Large Directory of Files
Hi,
I have some very large directorys. Here is my input.conf
[monitor://\\server\folder]
disabled = false
host = myhost
index = mylogs
sourcetype = mytasks
ignoreOlderThan = 2d
whitelist = (MYTasks\[EXPORT.*.log|MYTasks\[IMPORT.*.log)
When I check the number of files (Data inputs » Files & directories), I see 3840 files. Because of the Whitelist and modtime, most are ignored. Question, is this common? Seems inefficient for Splunk to monitor "skipped" files, I'm not sure if it has to re-read/touch these at every restart. I get a ton of files listed in "services/admin/inputstatus/TailingProcessor:FileStatus". If this is normal I'll move on, just trying to make sure my instance is performing optimally.
Thank you,
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you cannot remove the files where they are, you are eventually going to have so many files for Splunk to dig through that the forwarder will be hopelessly slow in locating new events. The best way to handle it is to remove files that Splunk is not interested in or which Splunk has forwarded and will never update (check out the batch input type). If this cannot be done, then you can have Splunk monitor a different directory and you write a script and schedule it on a cron job so that it creates (and removed) soft links for the files that Splunk needs to watch.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your reply. This made me dig more and I noticed that some directory's were being archived. Then with more reading I saw
recurse = [true|false]
* If true, recurse directories within the directory specified in [fschange].
* Defaults to true.
Hence, changing recurse=false, really reduced the i/o read time.
Thanks!
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I would have suggested this if you had a said anything about subdirectories. It works very well.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Unlocking Unified Insights: New Gigamon Federated Search App for Splunk
GA: New Data Management App in Splunk Platform
Announcing Modern Navigation: A New Era of Splunk User Experience
