Hello everyone,
I have Splunk Universal Forwarder running on a server watching a few files for changes. Log data is inserted at the end of the files every 5 minutes or so.
Up until a few days ago, all files were working and being correctly monitored. Today i noticed that a single file out of 10+ is not being monitored correctly.
When the script appends something to the file and closes it (thus updating the update date), the data doesn't arrive at the index. However, if i open the file, change anything and save it, all the data that should have arrived suddenly arrives.
This problem started out of the blue. I tried restarting the universal forwarder service, changing how the file is saved, deleting the file and letting the script re-create it, everything, but it still won't work.
Any ideas? Has this ever happened to anyone before?
P.S.: The file is open and closed explictly in my script. All other files do the same thing and work, only this one file is giving me trouble.
Thanks!
↧