forward not detect changes

indeed_2000 · ‎06-15-2021

Hi

I install forwarder on a server.

it work perfectly and forward anything on this path /data/app/log to splunk server, but after server disk space run out, I try to delete a file "server.log" on this path, then restart my app to create new server.log on that path. file create again successfully but after this action forwarder not detect changes.

I try to restart forwarder but not affected!

any idea?

Thanks,

venkatasri · ‎06-15-2021

Hi @indeed_2000

Could be a possible fishbucket issue, you can check the current monitor status by issuing command under $SPLUNK_HOME/bin use the "./splunk list inputstatus" to get more detailed info on where Splunk is in reading the different files. If you do not find any clue here, you can remove fishbucket directorty/reset -

Clear fishbucket: Declaimer: The data already indexed might re-index.

Stop the forwarder
Execute this command under $SPLUNK_HOME/bin (change the file path accordingly)
./splunk cmd btprobe -d /opt/splunkforwarder/var/lib/splunk/fishbucket/splunk_private_db --file /data/app/log --reset
start forwader
Refer - Command line tools for use with Support - Splunk Documentation

----

An upvote would be appreciated if it helps!

venkatasri · ‎06-20-2021

@indeed_2000 It would be great if the steps have provided the fix then accept the solution.

forward not detect changes

metadata

search job inspector

Can’t make it to .conf25? Join us online!

What Is Splunk? Here’s What You Can Do with Splunk

Level Up Your .conf25: Splunk Arcade Comes to Boston

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Are you a member of the Splunk Community?

forward not detect changes

metadata

search job inspector

Can’t make it to .conf25? Join us online!

What Is Splunk? Here’s What You Can Do with Splunk

Level Up Your .conf25: Splunk Arcade Comes to Boston

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...