Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

inputs.conf wait time t monitor file

rbardonetorian
Path Finder
‎04-25-2017 07:51 AM

Hello,

I am running into an issue where the 6.5.3 UF does not wait long enough on the monitored file as the file sometimes takes 400 secs to fully have been reported upon and close.

Looking at the inputs.conf man page I notice "followTail" and "time_before_close" configurations.

Could someone shed some light as to what "time_before_close = " really does?
Will this "time_before_close = " configuration set the the UF to wait until my specified time to read the file in its entirety?

Thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

beatus
Communicator
‎04-25-2017 10:19 AM

rbardonetorian,
"time_before_close" Will cause Splunk to wait a specified amount of time after Splunk has reach an EOF condition. The default of 3 seconds can be too low on systems buffering their writes or very heavily loaded systems. That will cause Splunk to truncate events.
Another option that will help is "multiline_event_extra_waittime = true". I'd recommend using this setting in combination with "time_before_close".

Between these two settings, Splunk will wait longer for writes to happen when they're "mid event" and that will reduce event truncation significantly.

Some draw-backs of "time_before_close" are that Splunk will use extra file descriptors as it is keeping more files open longer.

Lastly, don't use "followTail" unless instructed to do so by support. It doesn't sound like it will help in your situation and will likely cause more issues than it solves.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

beatus
Communicator
‎04-25-2017 10:19 AM

rbardonetorian,
"time_before_close" Will cause Splunk to wait a specified amount of time after Splunk has reach an EOF condition. The default of 3 seconds can be too low on systems buffering their writes or very heavily loaded systems. That will cause Splunk to truncate events.
Another option that will help is "multiline_event_extra_waittime = true". I'd recommend using this setting in combination with "time_before_close".

Between these two settings, Splunk will wait longer for writes to happen when they're "mid event" and that will reduce event truncation significantly.

Some draw-backs of "time_before_close" are that Splunk will use extra file descriptors as it is keeping more files open longer.

Lastly, don't use "followTail" unless instructed to do so by support. It doesn't sound like it will help in your situation and will likely cause more issues than it solves.

0 Karma
Reply
Solved! Jump to solution

rbardonetorian
Path Finder
‎04-25-2017 12:00 PM

Perfect , thank you!!

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...