I am monitoring a directory with contains files that are rotated.
Example:
A file, today.logs is currently being processed by splunk
tomorrow, the today.logs will be renamed to yesterday.logs
My question is: will splunk process these events twice?
Splunk should detect renames files like this. In fact, if Splunk wasn't completely done indexing everything in "today.log" when it was renamed to "yesterday.log", then it will read the remaining portion of "yesterday.log" until it's caught up.
The feature works by recording hash values (finger prints) of the beginning and ending of the files being monitored, this way it can detect when a file was renamed. This also lets splunk recolonize when the file "today.log" has been truncated and new content is being written to the same file name, in which case splunk will read the new events starting at the beginning of the log index them.
Please note that you can alter (often just "break") this functionality by setting a crcSalt
value in your monitor
input stanza; which I recommend staying away from if at all possible. So, unless you've explicitly added such a setting, splunk should "just work" with your log files -- each event should be indexed once and only once.