Solved: Where is the default value of time_before_close p...

iparitosh · ‎05-16-2019

I could not find this property under $SPLUNK_HOME$/system/default/inputs.conf

time_before_close =
* The amount of time, in seconds, that the file monitor must wait for
modifications before closing a file after reaching an End-of-File
(EOF) marker.
* Tells the input not to close files that have been updated in the
past 'time_before_close' seconds.
* Default: 3.

DavidHourani · ‎05-16-2019

Hi @iparitosh,

The default value is defined in the documentation here as 3 seconds :
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

I ran a search on all .conf files and it's not defined there as well. It should be hard coded somewhere in the core configuration as this parameter is a core functionality for the monitoring stanza in inputs.conf.

Cheers,
David

View solution in original post

DavidHourani · ‎05-16-2019

Hi @iparitosh,

The default value is defined in the documentation here as 3 seconds :
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

I ran a search on all .conf files and it's not defined there as well. It should be hard coded somewhere in the core configuration as this parameter is a core functionality for the monitoring stanza in inputs.conf.

Cheers,
David

Where is the default value of time_before_close property defined in splunk?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes