We have a universal forwarder on linux that seems to get 'stuck' reading one of the two high event log files being read from an iSeries IFS.
The file it gets stuck on can be either of the two files, the files seem to get events at about the rate of 60 a second during the busy parts of the day, I think the forwarder just can't get to end of file to switch to the other file.
Is there any way to configure the forwarder for this situation? Add more 'reader' threads?
If not, how do I setup another forwarder on linux? Duplicate the /opt/splunkforwarder directory seems kind of problematic...
... View more