Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Log rotation affecting reading of logs

sphiwee
Contributor
‎11-24-2020 01:46 AM

Hi there we noticed we are not getting some logs coming through @ some hours in the morning after log rotation. so we ran the below query.

 

index=_internal host=* /opt/workfusion/supervisord/log/workfusion.out.log NOT Metrics earliest=-7d latest=now
| timechart span=5m count as NumInt

 

here's the result below

11-24-2020 01:30:03.080 +0200 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/opt/workfusion/supervisord/log/workfusion.out.log'.

 

11-19-2020 01:30:04.536 +0200 INFO WatchedFile - Logfile truncated while open, original pathname file='/opt/workfusion/supervisord/log/workfusion.out.log', will begin reading from start.

 

How can I fix this since it's affecting our dashboard because there are no results or logs so the dashboard is empty. 

 

 

 

Labels (3)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-24-2020 01:52 AM
How you are rotating those logs? mv + touch, cp + truncate something else?
0 Karma
Reply

sphiwee
Contributor
‎11-24-2020 03:00 AM

cp to backup location, then rm originals 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-24-2020 08:15 AM
Maybe you should try logrotate to rotate log files e.g. https://linux.die.net/man/8/logrotate
You could try different options how to signal your software to release filehandlers to old log file and star to use new so that you don’t loss events.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...