![]() ![]() The following types of archive files are supported: Splunk then processes these files in a single threaded format. In order to monitor archived files, forwarders decompress archive files, such as a TAR or ZIP file, prior to processing. The monitor process scans subdirectories of monitored directories continuously. If the file or directory is not present on start, the forwarder checks for it every 24 hours from the time of the last restart. ![]() It first checks for the file or directory specified in a monitor configuration. When you restart a forwarder, it continues processing files where it left off before the restart. How the forwarder handles the monitoring of files during restarts To stop all in-process data indexing, you must restart the forwarder. It only stops checking those files again. If you disable or delete a monitor input, the forwarder does not stop indexing the files that the input references. You can include or exclude files or directories from being read by using allow lists or exclude lists. So long as the stanza names are different, the forwarder treats them as independent stanzas and files matching the most specific stanza will be treated in accordance with its settings. If the specified directory contains subdirectories, the monitor process recursively examines them for new files, as long as those directories can be read. You can also specify a mounted or shared directory, including network file systems, as long as the forwarder can read from the directory. The forwarder monitors and indexes the file or directory as new data appears. Splunk uses memory for each file monitored, even if the file is ignored. Using the method of specifying the path, you can monitor live application logs such as those coming from Web access logs, Java 2 Platform Enterprise Edition (J2EE), or. When you specify a path to a file or directory, the monitor processor consumes any new data written to that file or directory. If you use Splunk Web on a heavy forwarder to configure file monitor inputs, you can use the Set Sourcetype page to see how the Splunk platform indexes file. You can add MonitorNoHandle inputs using either the CLI or the nf file.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |