I am sure I read something about IIS and log file modtime in here somewhere, but I can't find that post again.
Anyway, from the Splunk docs and other comments, I gather that IIS not updating modtime is the reason why I have odd issues with IIS logs.
Can anyone confirm this?
What happens is that suddenly, some time during the day, my IIS logs stop coming in. I haven't sat around to watch it for hours, but I can see that next morning, all the data is there.
I haven't confirmed, but I would guess that the log file switch at midnight is what triggers a read of the file, and the the data is indexed.
The question then is: is there a solution to that problem? Can I make Splunk follow the log continuously (without duplicate indexing results, of course)?
As said, I thought I read the answer to that question in here before, but I can't find it again.
... View more