forward not detect changes

indeed_2000 · ‎06-15-2021

Hi

I install forwarder on a server.

it work perfectly and forward anything on this path /data/app/log to splunk server, but after server disk space run out, I try to delete a file "server.log" on this path, then restart my app to create new server.log on that path. file create again successfully but after this action forwarder not detect changes.

I try to restart forwarder but not affected!

any idea?

Thanks,

venkatasri · ‎06-15-2021

Hi @indeed_2000

Could be a possible fishbucket issue, you can check the current monitor status by issuing command under $SPLUNK_HOME/bin use the "./splunk list inputstatus" to get more detailed info on where Splunk is in reading the different files. If you do not find any clue here, you can remove fishbucket directorty/reset -

Clear fishbucket: Declaimer: The data already indexed might re-index.

Stop the forwarder
Execute this command under $SPLUNK_HOME/bin (change the file path accordingly)
./splunk cmd btprobe -d /opt/splunkforwarder/var/lib/splunk/fishbucket/splunk_private_db --file /data/app/log --reset
start forwader
Refer - Command line tools for use with Support - Splunk Documentation

----

An upvote would be appreciated if it helps!

venkatasri · ‎06-20-2021

@indeed_2000 It would be great if the steps have provided the fix then accept the solution.

forward not detect changes

metadata

other

search job inspector

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...