Hi,
I have to monitor exported events from a remote Windows system. These files are XML files in text format, one XML record per line. Splunk also running on Windows.
Now the events_last.xml file being written, after the rotate, it gets a new name. Monitoring only this events_last.xml file, can I miss some record because of the logrotate?
What do you suggest how to Index these files? Can I monitor events_last.xml, or need to wait for the logrotate?
Should we limit the file size because of Splunk?
Update:
Based on the answers as I understand: It's safe to monitor the directory including the events_last.xml and the rotated files. CRC check will handle it by default.
What if I only monitoring the events_last.xml? The log source continuously writes the file, and when the time comes, it immediately rotates it. Can Splunk catch the last lines? Or rotate process can be faster and Splunk can miss some lines?
I also checked some docs (eg. http://docs.splunk.com/Documentation/Splunk/7.0.2/Data/Monitorfilesanddirectories) but did not found detailed one. For [monitor://*] stanza I didn't find any interval attributes.
Update2
Finally, we monitoring only the rotated files. The delta listening didn't works well because of the XML format. The exporter system puts the new logs not absolutely to the end of file (it puts before the last tag), Splunk re-reads the full file, not just the new logs.
Thanks for the help.
Regards,
István
... View more