At this point the monthly bulk "mv $CURRENTLOGS $OLDLOGS/something" job can be eliminated, as the new cron job would simply move $LOGFILE to the appropriate month's directory based on its metadata.

Let me know whether you agree with the concerns stated above and whether a briefly delayed solution works for you. If not, we can always discuss other ideas, but I believe the above is the simplest solution.

// And now, to go file a bug on max comment length here...

One way to make this work very well is if you can live with a 1-2 minute indexing delay (think: realtime data stream running a minute or two behind). If so, you can use the [DESTRUCTIVE] "sinkhole" input that exists on all Splunk instances. The idea is to setup a cron job that uses "find" to move all logs older than a couple of minutes to the archive directory, and simultaneously copy the file into the sinkhole directory. As soon as the sinkholed file is read, it will be deleted. This will keep the amount of monitored files (in the sinkhole) low, reducing memory usage.

network hiccups causing delays in sending files, indexers backing up due to a large burst of data, just plain having a network & indexer setup that is regularly outpaced by log file growth, etc.

So, monitoring the CURRENTLOGS directory in your scenario may not turn out to be entirely reliable. More typical logging strategies create fewer files that are larger and are rotated individually instead of as an entire directory, making it a bit easier to avoid this problem.

If there are many processes running every second and each process is creating one or more files per run, your file rotation strategy will create a race that could cause some data to be missed. When it comes time to "mv $CURRENTLOGS $OLDLOGS/something" and "mkdir $CURRENTLOGS", there's no guarantee that Splunk has indexed all of the logs being moved - for example, 100 processes could spin up in the seconds before the "mv" and the files they created may be moved out of the way before Splunk has a chance to see them. There are many reasons for the forwarder to fall behind like this:

Sorry for the delay in responding. We should be able to manage the amount of tracked files (and thus file-scanning performance & the amount of memory used), although a straight-forward setup with this rate of file creation can have some caveats, so we may resort to a couple of tricks. I'll explain my concerns below, and you can consider their validity.

Let's say the path setup is:
CURRENTLOGS=/path/to/app/instance1/logs/live
OLDLOGS=/path/to/app/instance1/logs/archive

There is only a single instance where these small files will be forwarded from using a Universal Forwarder, we are also using a Forwarder for the syslog-ng data. It'll all be over gigabit ethernet.

Sorry for the split posts, there is a character limit in the comments.

Thanks,
Mark

There are subdirectories for an application instance, but all the files are placed in the one directory under that instance path, so we'd end up having this structure;
- /path/to/app/instance1/logs/
- /path/to/app/instance2/logs/
I'm not sure what we can do in regards to moving log files around to different directories as the application isn't too flexible in that regards, which is one reason we are looking at splunk.

Hi Amrit,
We only want to index new files which is generally anything < 2 weeks old. Once indexed we don't really worry about them other than for historical access, and from the application point of view they do not change. They application logs are also archived off at the start of the new month - basically it's a mv $CURRENTLOGS $OLDLOGS && mkdir $CURRENTLOGS and then the application will put all the logs for the current month in the same directory as last months logs but it's now empty.