Hi, I noticed that, right after a logrotation, the data is not being indexed anymore.
Data is still going through /var/log/myapp.log and /var/log/messages (rsyslog UDP) so it all arrive on the machine (at 100%) but it is not being indexed.
On Splunk, I am monitoring logs arriving with real-time searches. Before log-rotate everything is fine and logs are arriving on a regular basis. After logrotate, I do not get anything anymore.
Here is my inputs.conf:
[monitor:///var/log/myapp.log]
sourcetype = myappsourcetype
crcSalt =
crcSalt = 2048
disabled = 0
My log rotate conf:
"/var/log/myapp.log" {
monthly
size 100M
rotate 30
compress
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2>/dev/null` &> /dev/null || true
endscript
}
My sourcetype shouldn't be the problem as it only contains some side fields extractions.
Thank you very much in advance