The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.
Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.
Previous Topic: Delay in logs flowing to the splunk server from LightForwarder | Next Topic: crashing on startup on Windows Server 2003
Posts 1–7 of 7
Hi,
i'm evaluating splunk and have very simple configuration - central splunk + number of light forwarders. The problem is that data from forwarder appears in central server ~30 mins after it appears in logs that are scanned by forwarder. What might be cause?
thanks.
not knowing very much, but it's more likely because of latency on the forwarder. do you have a lot of files you are monitoring? do you have a lot of files that are *not* being updated (or not being monitored) in the same directory as files you *are* monitoring? In 3.4.11, there is a setting for file monitors to increase the scan speed if you have a lot of files, though it can cause higher CPU usage.
according to forwarder logs data logs are scanned oftenly, but i see them on central server only afte significant delay
What exactly are you looking at on the forwarder that suggests how often files are scanned or data is read, and what is is saying exactly?
Filter: source="fileTracker"
Trace: 4ab387d2 initcrc::53e45013e90ef5bb seekcrc::d992bf2ededdd795 seekptr::15ba0 modtime::1253279697 filename::/opt/grdsrve/DSEngine/work/fragmcfp90-6/log/engine-6.09.15.2009-11.29.12.log source::/opt/grdsrve/DSEngine/work/fragmcfp90-6/log/engine-6.09.15.2009-11.29.12.log
By trace timestamp and file name i see (at least i think so) how often it is accessed.
No, this does indicate that. This is Splunk's persistent record the state of the file after Splunk decides to close the file (e.g. if it hasn't been updated in a long time). It has very little relationship to do with how often the file is actually read.
Again, do you have a lot of files you are monitoring? Do you have a lot of files that are *not* being updated (or not being monitored) in the same directory as files you *are* monitoring?
not many - we just evaluating splunk thus forwarder process no more than dosen of logs