Monitoring Splunk

Monitor splunk file after restart

ankithreddy777
Contributor

On the Splunk docs it is given as

How Splunk Enterprise handles monitoring of files during restarts
When the Splunk server is restarted, it continues processing files where it left off. It first checks for the file or directory specified in a monitor configuration. If the file or directory is not present on start, Splunk Enterprise checks for it every 24 hours from the time of the last restart. The monitor process scans subdirectories of monitored directories continuously

Suppose if I deployed inputs to monitor a file and restarted splunk after deploying and If the monitored file was not created yet. Does splunk enterprise check for that file only after 24 hours to reads the file. What if the file created after few minutes after restart. Will it be ignored until 24 hrs of restart.

Suppose I gave wildcard for file name, Does it behave same. I can see newly created file was read by splunk immediately when it created for wild card file names.

0 Karma

thambisetty
SplunkTrust
SplunkTrust

as per the document, during restart ,If the file or directory is not present on start, Splunk Enterprise checks for it every 24 hours from the time of the last restart.

yes, as per the document file will be ignored until next check. not tested.

if you are monitoring the existing directory, newly created file under this monitored directory will be monitored immediately.

————————————
If this helps, give a like below.
0 Karma

ankithreddy777
Contributor

How it works , if you use the wild card in file or directory name. such as

[monitor.....././..../abc*

Does the file with name "abcd" which is created after few hours of restart will be ignored until 24 hours? OR Is there any exception for this scenario?

0 Karma

sudosplunk
Motivator

Whenever a file is created or modified, splunk will monitor it immediately.

0 Karma

thambisetty
SplunkTrust
SplunkTrust

if there is any exception in this scenario , that would be described in the doc.

————————————
If this helps, give a like below.
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...