I have several thousand files that are being monitored with a stanza like the following:
[/files//.log]
when i restart splunkd it begins to go through all the files to catch up where it left off with messages like:
05-21-2012 16:32:46.927 -0700 INFO WatchedFile - Will begin reading at offset=279956 for...
Since there are so many files, I was wondering if there is a way to manually push a file into the "next to be read" queue in case i have a user requesting immediate data?
There is a way to do something like that, though not exactly what you are asking:
[monitor:///var/log/veryimportant.log]
[monitor:///var/log]
blacklist=veryimportant.log
A critical rule to remember is - you cannot have two identical monitor stanzas.
Since veryimportant.log
is specifically named, it will be found "directly" and monitored. Splunk will iterate over the other files in /var/log
, so it will probably take longer to index the updates for them. I don't know that this is guaranteed, but try it.