Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to 'tail' the input that is being sent to indexer

splunker_123
Path Finder
‎09-07-2012 07:44 AM

Hi

Is it possible to tail the log files and send to indexer rather than sending one file as such.

To make it clear - We have some log files of huge size for which we cannot do log rotation for some reason and the file has got entry from last year which I dont want to monitor through splunk.
So is it possible to tail the last 600-700 lines of that file alone and send it to indexer -not the whole file?

Every update to those 700 lines should be sent to indexer on regular basis

Thanks

Tags (1)
Reply

MHibbin
Influencer
‎09-07-2012 08:14 AM

You must have your reasons but I think it would be much easier to just index the whole file and then have Splunk follow the tail. You can always use time range picker or earliest|latest in your search to filter out older results. Or you could "delete" events older than your selected age.

Reply

Drainy
Champion
‎09-07-2012 08:49 AM

It will cross your limit and register a violation but on an Enterprise licence Splunk will allow you up to 5 violations in a 30 day rolling window. So as long as you then spend the next 30 days without a single violation you will have a clean licence again 🙂 Splunk uses this model as it allows for scenarios like this and for companys to do monthly dumps of batch files and the like.

Reply

splunker_123
Path Finder
‎09-07-2012 08:47 AM

The reason I ruled out option of indexing the whole file is due to license limitation.We are allowed to index till 10GB perday
these files as a whole had grown up to 13GB now

so if I index whole file then ,at least for the first time when the whole file is indexed it will cross 10 GB?(as per my understanding)

0 Karma
Reply

Drainy
Champion
‎09-07-2012 07:57 AM

Your best bet would be to use a scripted input to run tail manually for the last 700 lines, something like tail blah -n 700 (double check the syntax).
The only issue would be duplication if you don't have 700 new events in between readings.

Reply

Drainy
Champion
‎09-07-2012 11:45 AM

That's just based on the modification time of the files. Monitor statements are all about the file, props are about the content 🙂

Reply

MuS
Legend
‎09-07-2012 09:35 AM

How about the ignoreOlderThan option? Or will this just work for the files itself and not the content of it?

0 Karma
Reply

MHibbin
Influencer
‎09-07-2012 08:07 AM

Syntax is correct :-)... or you could do tail -n 700 blah

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...