I am trying to determine what the frequency is that Splunk reads log files. I have Data Inputs setup against 5 web servers in a farm reading W3C logs. It seems that it can take hours for Splunk to get to some of the logs. While one server is read pretty much instantly. I don't understand why there is a difference.
The log files are created hourly and rotated on a ~monthly basis. When I originally setup the Inputs I didn't specify to tail the file, I wanted all of the history with the initial load. It's been 2.5 hours and I still only have one server's data from the thirty minute time span I am looking at.
I guess my question is, does Splunk have the ability to tail multiple files at once? Is there a way to configure Splunk so I have more up to date log files index across my web farms?
UPDATE:
It has been five hours and I still only have the one server's logs. These Inputs have been setup for more than a month, it is not a case of an initial load delay. I have verified the logs are all in GMT, and they appear to be setup the same on the Data input (files) screen.
Can more than one file be tailed at a time?
... View more