Hi All,
Hope you are doing good.
I have come across a difficult situation in indexing a file. We have few Universal Forwarders, on which files will be rotated very fast (within seconds) during mid night. Once they reach the specified size limit, they will be gzipped and moved to archive folder (we are not monitoring this folder). Due to this fast rotation, we are unable to see the logs from those files at that particular time (not indexing may be). The inputs.conf stanza is configured as below:
[monitor:///logs/user/*.op]
blacklist = (\.\d+|\.gz)
index = index
sourcetype = sourcetype
recursive = true
We have default value for the throughput on the Universal Forwarders. Could you please help me in resolving this issue?
Thanks in advance.
↧