Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Permissions on monitored files

RicoSuave
Builder
‎11-29-2012 09:16 AM

If permissions get changed on a log file that is being monitored by splunk and becomes unreadable, will Splunk give up permanently on rechecking the readability of the log without an agent restart? Just wondering what the testing logic is and whether the agent will resume collecting the logs once the log file permissions are returned to readable?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎11-29-2012 09:29 AM

The behavior changed in 4.3.3, before the Tailing processor was trying 10 times to read a file then gave up (if permission were restrictives or the file locked). So the only way was to restart the forwarder to redetect the file (or use the REST endpoint to reload the tailing processor)

Since late 4.3.3 and 5.0.*, the Tailing processor retry after in interval of time, this interval increase with each failure to maximum of 34 minutes.

see http://docs.splunk.com/Documentation/Splunk/4.3.4/ReleaseNotes/4.3.3

When tailing files, consecutive failures for accessing or handling the same pathname will result in a doubling interval up to 0.5s * 2^(12), or 1 * 2^(11) seconds or 2048 seconds, or 34 minutes and 8 seconds. If more errors are encountered, the timer will remain at 34 minutes and 8 seconds. (SPL-50995)

View solution in original post

Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎11-29-2012 09:29 AM

The behavior changed in 4.3.3, before the Tailing processor was trying 10 times to read a file then gave up (if permission were restrictives or the file locked). So the only way was to restart the forwarder to redetect the file (or use the REST endpoint to reload the tailing processor)

Since late 4.3.3 and 5.0.*, the Tailing processor retry after in interval of time, this interval increase with each failure to maximum of 34 minutes.

see http://docs.splunk.com/Documentation/Splunk/4.3.4/ReleaseNotes/4.3.3

When tailing files, consecutive failures for accessing or handling the same pathname will result in a doubling interval up to 0.5s * 2^(12), or 1 * 2^(11) seconds or 2048 seconds, or 34 minutes and 8 seconds. If more errors are encountered, the timer will remain at 34 minutes and 8 seconds. (SPL-50995)

Reply
Solved! Jump to solution

piebob
Splunk Employee
Splunk Employee
‎11-29-2012 10:07 AM

LIKE A SIR

0 Karma
Reply
Solved! Jump to solution

RicoSuave
Builder
‎11-29-2012 09:35 AM

Thank you, le sir!

Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...