Solved: What happens if a large log file being monitored h...

pkeller · ‎12-11-2015

If I'm monitoring a very large logfile

[monitor:///home/me/logs]
whitelist = (myApp)\.log$

/home/me/logs/myApp.log

And at some point, a process rotates the file to:

/home/me/logs/OLD/myApp.log

If the file hasn't fully been forwarded at the time of rotation ... will:

myApp.log be monitored in the new directory (assumed because OLD would be in scope for the monitored path)
myApp.log be monitored in its entirety, or will Splunk still know the offset that was last indexed

Thank you.

If

hortonew · ‎12-11-2015

Splunk keeps track of the offset via the fishbucket. Even if the file is moved, it should only index what it hasn't already indexed. So moving it to a different directory shouldn't be a problem.

View solution in original post

hortonew · ‎12-11-2015

Splunk keeps track of the offset via the fishbucket. Even if the file is moved, it should only index what it hasn't already indexed. So moving it to a different directory shouldn't be a problem.

What happens if a large log file being monitored hasn't fully been forwarded at the time of rotation?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!