Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Monitoring folder stops monitoring files

keycoldstorage
Explorer
‎03-14-2011 08:51 PM

I suspect that this has something to do with the fact that my log files are being generated by appending to the end of a flat file.

A monitored folder with two flat files that are being written to is not adding to the index. When I add a test line at the top of the file, Splunk catches that on one file (about 80mb), but not the other (about 3mb). However, it still does not index the additions to the tails of the files.

Do I need to configure tailing? I was under the impression that the folder monitor was supposed to index changes in existing logfiles within the monitored folder.

I should add that these files are written to more than once per five seconds generally. Might that have something to do with my problem? I found this piece of information in the troubleshooter:

Splunk keeps only so many files open at a time (default, 32). If you have files that are written to more than once every 5 seconds, this table should be expandedshould be expanded

Additional information: it appears as though this may have to do with buckets? I have 9 overlapping hot buckets, all of which failing to start splunk-optimize. The errors seem to correspond roughly with the last indexed data in the two logs.

arri

0 Karma
Reply

keycoldstorage
Explorer
‎03-15-2011 12:09 AM

Just in case some other noob like myself is out there and wonders why this sort of thing might happen, check to see if you've got forwarding enabled. I had turned it on to experiment with it, but didn't realize that, despite checking the store a local copy box, the forwarder would no longer index the data. I then proceeded to ignore the receiver, and forget that I had enabled forwarding, and wonder why it wasn't working right when I came back to it after a month.

Anyway, deleted the forwarding configuration, restarted, and all is well.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...