Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Modtime is newer than stored, will reread file with 9.x.x

hrawat
Splunk Employee
Splunk Employee
‎02-17-2024 04:44 PM

CHECK_METHOD = modtime is not working as expected due to a regression in 9.x as there is wrong calculation which will lead to un-expected re-reading of a file.
Until next patch, use following workaround for inputs with CHECK_METHOD = modtime
In inputs.conf set following for impacted stanza

time_before_close=0




 

Tags (1)
Reply

fratamicod
Explorer
‎11-24-2025 06:49 AM

I'm seeing this issue on 9.3.0. Which version of 9.x.x was this patched?

0 Karma
Reply

hrawat
Splunk Employee
Splunk Employee
‎11-25-2025 08:32 PM

9.2.1 and above has the fix. May be you want to explain your issue with configs.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...