Hello fellow ninjas,
Good day. I'd like to ask if splunk uf restart is essential after I deleted a log file that is being monitored by splunk? Because, every time I delete the file, splunk is still reading it resulting high resources usage.
Thanks,
Dan
which version of SplunkUF you using? it might be a bug sometimes
Hi, its universal forwarder 6.2.6 and 6.4.0
Hi dantimola,
no, If you change some log file you can continue to use your UF without restarting it.
you need to restart Splunk Universal Forwarder only if you change some .conf file.
Bye.
Giuseppe
Thanks for your answer. My case is that, even we deleted the log file, splunk is still reading it as seen on the screenshot I've provided. What could be the problem?
Hi dantimola,
until you don't disable it, Splunk input is waiting for a new file or variation of it.
Bye.
Giuseppe
I saw migration.conf in the uf. Is it possible that it was the culprit why the issue is occuring?