Solved: Re: active-only/eatonlylivefiles in Splunk 4.3

matthewpowell · ‎01-27-2012

The "active-only" feature doesn't seem to work in Splunk 4.3:

# splunk add monitor /var/log/messages -active-only true
In handler 'monitor': Argument "eatonlylivefiles" is not supported by this handler.

It's still listed as a feature in "splunk help add" and at http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorfilesanddirectoriesusingtheCLI.

Has the feature been removed (and if so, is there a reason why it's no longer useful)? Or is this a bug?

hexx · ‎01-28-2012

As you found out, this option has been taken out of the code base as of Splunk 4.3. The references to it in the CLI documentation and help have been left behind by mistake. I've just removed the reference in the CLI documentation and it will be gone from the CLI help in Splunk 4.3.1.

View solution in original post

hexx · ‎01-28-2012

As you found out, this option has been taken out of the code base as of Splunk 4.3. The references to it in the CLI documentation and help have been left behind by mistake. I've just removed the reference in the CLI documentation and it will be gone from the CLI help in Splunk 4.3.1.

hexx · ‎01-30-2012

This feature has been removed as of Splunk 4.1 because its implementation did not yield satisfactory results and seemed redundant with the improved tailing processor that was introduced with that version.

matthewpowell · ‎01-30-2012

Thanks for the answer. Out of curiosity, do you know why it was removed? Were there problems with the feature, or was it just not all that useful in the first place?

active-only/eatonlylivefiles in Splunk 4.3

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases