Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

inputs.conf wait time t monitor file

rbardonetorian
Path Finder
‎04-25-2017 07:51 AM

Hello,

I am running into an issue where the 6.5.3 UF does not wait long enough on the monitored file as the file sometimes takes 400 secs to fully have been reported upon and close.

Looking at the inputs.conf man page I notice "followTail" and "time_before_close" configurations.

Could someone shed some light as to what "time_before_close = " really does?
Will this "time_before_close = " configuration set the the UF to wait until my specified time to read the file in its entirety?

Thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

beatus
Communicator
‎04-25-2017 10:19 AM

rbardonetorian,
"time_before_close" Will cause Splunk to wait a specified amount of time after Splunk has reach an EOF condition. The default of 3 seconds can be too low on systems buffering their writes or very heavily loaded systems. That will cause Splunk to truncate events.
Another option that will help is "multiline_event_extra_waittime = true". I'd recommend using this setting in combination with "time_before_close".

Between these two settings, Splunk will wait longer for writes to happen when they're "mid event" and that will reduce event truncation significantly.

Some draw-backs of "time_before_close" are that Splunk will use extra file descriptors as it is keeping more files open longer.

Lastly, don't use "followTail" unless instructed to do so by support. It doesn't sound like it will help in your situation and will likely cause more issues than it solves.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

beatus
Communicator
‎04-25-2017 10:19 AM

rbardonetorian,
"time_before_close" Will cause Splunk to wait a specified amount of time after Splunk has reach an EOF condition. The default of 3 seconds can be too low on systems buffering their writes or very heavily loaded systems. That will cause Splunk to truncate events.
Another option that will help is "multiline_event_extra_waittime = true". I'd recommend using this setting in combination with "time_before_close".

Between these two settings, Splunk will wait longer for writes to happen when they're "mid event" and that will reduce event truncation significantly.

Some draw-backs of "time_before_close" are that Splunk will use extra file descriptors as it is keeping more files open longer.

Lastly, don't use "followTail" unless instructed to do so by support. It doesn't sound like it will help in your situation and will likely cause more issues than it solves.

0 Karma
Reply
Solved! Jump to solution

rbardonetorian
Path Finder
‎04-25-2017 12:00 PM

Perfect , thank you!!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...