Re: forward not detect changes

indeed_2000 · ‎06-15-2021

Hi

I install forwarder on a server.

it work perfectly and forward anything on this path /data/app/log to splunk server, but after server disk space run out, I try to delete a file "server.log" on this path, then restart my app to create new server.log on that path. file create again successfully but after this action forwarder not detect changes.

I try to restart forwarder but not affected!

any idea?

Thanks,

venkatasri · ‎06-15-2021

Hi @indeed_2000

Could be a possible fishbucket issue, you can check the current monitor status by issuing command under $SPLUNK_HOME/bin use the "./splunk list inputstatus" to get more detailed info on where Splunk is in reading the different files. If you do not find any clue here, you can remove fishbucket directorty/reset -

Clear fishbucket: Declaimer: The data already indexed might re-index.

Stop the forwarder
Execute this command under $SPLUNK_HOME/bin (change the file path accordingly)
./splunk cmd btprobe -d /opt/splunkforwarder/var/lib/splunk/fishbucket/splunk_private_db --file /data/app/log --reset
start forwader
Refer - Command line tools for use with Support - Splunk Documentation

----

An upvote would be appreciated if it helps!

venkatasri · ‎06-20-2021

@indeed_2000 It would be great if the steps have provided the fix then accept the solution.

forward not detect changes

metadata

search job inspector

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud

Join the Conversation