Will Splunk re-index if inputs.conf changes and a ...

Branden · ‎04-16-2013

I have a large number of Universal Forwarders that forward Apache access logs. On my systems, the apache access logs are named -access.log and/or -ssl-access.log. On a regular basis, those files are rotated to -access.log.1 and/or -ssl-access.log.1. The .1 becomes a .2 after the next rotation, etc...

To simplify our environment a bit, I want to change our apache app to index "-access.log" or maybe even "*access". If I do the latter ("access") and restart the forwarder, will Splunk re-index all of the access log files? I do not want it to.

Thanks!

kristian_kolb · ‎04-16-2013

The fishbucket will keep track of what files have been indexed, and I don't think that it will care too much regarding the exact [monitor] stanza wording. Determining if a file has been read or not is more of an issue about checksums of the actual file(s) being monitored.

http://wiki.splunk.com/Community:HowSplunkReadsInputFiles
http://blogs.splunk.com/2008/08/14/what-is-this-fishbucket-thing/

One thing, though. If you create a common [monitor] for <hostname>-access.log and <hostname>-ssl-access.log, they would have to share the same sourcetype, which can be fine, if the contents (read: columns) of the file are the same. Have a read here as well;

http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/Whysourcetypesmatter

/Kristian

Branden · ‎04-16-2013

Kristian,

Thank you for the helpful reply. Yes, I understand they would be sharing a common sourcetype, and I am fine with that. I was more concerned with duplicate entries, which from you describe shouldn't be an issue.
Thanks again!

Will Splunk re-index if inputs.conf changes and a file is rotated?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms