I previously asked the following questions, and I vaguely understood that delaycompress options are recommended.
https://answers.splunk.com/answers/577144/about-log-rotation-best-practices.html
However, I want to understand about it in a bit more detail.
I think delaycompress is recommended for the following reasons,
Did I get that right?
If I use compress,
Since the inode changes when the file is compressed, if the file is compressed before Splunk finishes reading, the log is lost on Splunk.
However, when using delaycompress,
Since the first generation file is only renamed, the inode does not change, so even if Splunk did not finish reading the file, it can read the renamed file. Therefore, log lost does not occur.
↧