I am trying to configure Splunk to monitor a service that has some unusual (to me) logging behaviour (unfortunately re-writing the logging code is not an option as it is 3rd party)
In folder X it creates several files
A.log
B.log
C.log
and appends to them.
After 24 hours it
moves/copies A.log to old/A__< date_stamp >.log
moves/copies B.log to old/B__< date_stamp >.log
moves/copies C.log to old/C__< date_stamp >.log
and truncates/creates the original file again
Questions:
If I just monitor the original files i.e. A.log, ..., would it be possible that splunk may miss a logging event due to the event being written and the file being copied/truncated?
If I try to monitor all the log files (so I never loose a message) can I wildcard it such that all A*.log events have a common sourcetype?
If I can end up watching all the log files it is possible I'll have duplicate entries 1st from the orginal and the 2nd from the copy into the old folder and if so is there a common/known strategy to handle that within splunk?
... View more