×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
chjpcert
Explorer
Member since: ‎07-27-2010
‎06-05-2020
Community Statistics
Posts 5
Solutions 0
Karma Given 0
Karma Received 2
Member Since ‎07-27-2010
Activity Feed
View All

Re: Appending vs overwriting tailed log files

by in Getting Data In
‎09-14-2010 02:18 AM
‎09-14-2010 02:18 AM
Also a good idea - rsync --append seems to avoid duplicates too. Thanks! ... View more

Re: Appending vs overwriting tailed log files

by in Getting Data In
‎09-09-2010 08:33 AM
‎09-09-2010 08:33 AM
dwaddle - how embarrassing: I had forgotten that my data directory IS in fact symlinked to another filesystem! I'm re-testing now by using a temp directory on the same filesystem as my data directory. Short of verifying the results, I'm pretty sure you've cracked it. This has been very interesting to look into - I ended up breaking out inotifywait to watch how mv operates. The difference in behaviour of mv between different filesystems and the same filesystem is plain to see, and is exactly as you describe. A good lesson learned today 🙂 ... View more

Re: Appending vs overwriting tailed log files

by in Getting Data In
‎09-08-2010 09:46 AM
‎09-08-2010 09:46 AM
Thanks very much for your help - much appreciated. Firstly, I've ensured everything is using mv. I've also disabled followTail. However, I still haven't been able to successfully remove my duplicates. To investigate, I ran three tests. One overwrote the log via cp, one overwrote via mv, and the last directly appended data to the log. Both the cp'ed and mv'ed logs produced duplicates, while the appended log seems okay. I'll keep examining this from the meantime, but I'm getting the feeling that it might be more than just cp or a followTail setting. Hopefully I'll post my findings soon. ... View more

Appending vs overwriting tailed log files

by in Getting Data In
‎09-07-2010 02:07 AM
1 Karma
‎09-07-2010 02:07 AM
1 Karma
I've been testing Splunk for several months now, and am consistently having problems with duplicate events appearing in the index. This sort of inconsistency is a show-stopper, so I decided to write a simple test case to investigate. Our actual conditions are: remote log file downloaded to /tmp via HTTP as a cron job when downloading complete, log file in /tmp overwritten over the old log file Splunk picks up the file and should only index new entries However, throughout the day, we see a lot of duplicate entries, often in the magnitude of 10x the original number of log entries. Experimenting, it seemed that Splunk might act differently depending on whether the log is being overwritten or appended to. I ran a test script for about 12 hours, which continually added a new lines to two log files by either appending to a temp file and then overwriting to the monitored file, or directly appending to the monitored file. Raw files: $ wc -l ~/data/test/* 63987 /home/splunk/data/test/append.log 63374 /home/splunk/data/test/overwrite.log In Splunk: /home/splunk/data/test/overwrite.log | 8,994,387 /home/splunk/data/test/append.log | 63,965 You can clearly see the reindexing issue in overwrite.log. The small difference in append.log is likely Splunk not having indexed some entries yet. My settings look like this: [monitor://home/splunk/data/test/] disabled = false host = test index = main crcSalt = <SOURCE> followTail = 1 (The actual log file I'm having trouble with contains a long header line, which is why I'm using crcSalt). I noticed this in the change history for 4.1.4: "monitor inputs using the followTail setting sometimes will index some older events or all events from log files which are updated when not intended. (SPL-23555) " Are there any more details on what type of problems SPL-23555 fixed? I haven't seen any changes in behaviour after upgrading. I've also been receiving these messages in my splunkd.log intermittently: Time parsed (Mon Sep 6 00:02:16 2010) is too far away from the previous event's time (Mon Sep 6 14:55:55 2010) to be accepted. The first date comes from the beginning of the file, the second from the end. Does this mean that Splunk is trying to scan the overwritten file before writing is completed, thus treating it as a completely different file with new entries? Is overwriting log files an acceptable practice when using Splunk? Is this a bug of some kind? Many thanks, Chris ... View more

Re: duplicated events when monitoring from log fil...

by in Getting Data In
‎07-27-2010 02:08 AM
1 Karma
‎07-27-2010 02:08 AM
1 Karma
I've got the same problem here. I download a log file to a temporary directory every 5 minutes, then move it into the log file directory I've specified in Splunk, overwriting the previous log. However, many events are duplicated in the index. For example, one log with 8859 lines ended up as 154,130 events in the index. Adding it manually via the "add oneshot" command produces the correct number of events. I've confirmed that the events are listed only once in the log files themselves. I've got followTail = 1 set in inputs.conf. I've also got crcSalt = set, if that's somehow related. Is there something off with the way Splunk handles tailing log files, or is there a config change needed here? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:02 AM
Karma from
View All