Hi Community!
I have a strange behaviour with monitoring a configuration file.
Since a specific time we get duplicate events from this file.
I see in splunkd.log that every 3 seconds this file was read again.
11-21-2016 13:34:01.630 +0100 INFO WatchedFile - Will begin reading at offset=0 for file='/opt/mainapp/ap.conf'.
11-21-2016 13:34:01.632 +0100 INFO WatchedFile - Will begin reading at offset=0 for file='/opt/mainapp/ap.conf'.
11-21-2016 13:34:04.500 +0100 INFO WatchedFile - Will begin reading at offset=0 for file='/opt/mainapp/ap.conf'.
11-21-2016 13:34:04.501 +0100 INFO WatchedFile - Will begin reading at offset=0 for file='/opt/mainapp/ap.conf'.
11-21-2016 13:34:07.502 +0100 INFO WatchedFile - Will begin reading at offset=0 for file='/opt/mainapp/ap.conf'.
11-21-2016 13:34:07.504 +0100 INFO WatchedFile - Will begin reading at offset=0 for file='/opt/mainapp/ap.conf'.
11-21-2016 13:34:10.504 +0100 INFO WatchedFile - Will begin reading at offset=0 for file='/opt/mainapp/ap.conf'.
and in metrics.log I see that data and events for this file was send to the indexer,
but the file itself, wasn't updated. or any changes wasn't made.
11-21-2016 13:33:47.812 +0100 INFO Metrics - group=per_source_thruput, series="/opt/mainapp/ap.conf", kbps=4.090971, eps=0.967770, kb=126.816406, ev=30, avg_age=2836.166667, max_age=8522
11-21-2016 13:34:18.813 +0100 INFO Metrics - group=per_source_thruput, series="/opt/mainapp/ap.conf", kbps=4.090742, eps=0.967716, kb=126.816406, ev=30, avg_age=2846.166667, max_age=8552
11-21-2016 13:34:49.813 +0100 INFO Metrics - group=per_source_thruput, series="/opt/mainapp/ap.conf", kbps=4.499917, eps=1.064511, kb=139.498047, ev=33, avg_age=2856.666667, max_age=8585
11-21-2016 13:35:20.813 +0100 INFO Metrics - group=per_source_thruput, series="/opt/mainapp/ap.conf", kbps=4.090934, eps=0.967761, kb=126.816406, ev=30, avg_age=2867.166667, max_age=8615
It is interessting because the duplicate events occurs all on the last change timestamp
This is the Inputs.conf
[monitor:///opt/mainapp/ap.conf]
disabled = false
followTail = false
index = app
sourcetype = app_conf
ignoreOlderThan = 1h
Do you have an idea what's going wrong, because this file monitor works since a few years.
Another thing is, that since a few weeks the UF was upgraded to 6.5.0, maybe this has an influence to this behaviour?
Thanks
Robert
... View more