All,
I am trying to understand why Splunk it opening a file here.
When I run LSOF I see Splunk looking at a rolled over file "/opt/jboss-6.1.0.Final/server/default/log/jboss.log.2016-09-29"
splunkd 29966 root 48u REG 253,0 3381522238 5800576 /opt/jboss-6.1.0.Final/server/default/log/jboss.log.2016-09-29
[root@lvsp01cat001 default]#
But we don't monitor this file at all. It's not in our inputs.conf
[root@lSERVER default]# /opt/splunkforwarder/bin/splunk btool inputs list | grep -i jboss
[monitor:///opt/jboss/server/default/log/jboss.access.log.*]
index = jbossweb
sourcetype = jbossweb_access
[monitor:///opt/jboss/server/default/log/jboss.log]
[root@SERVER default]#
My theory is logrotate is rotating the file, the iNode is the same and Splunk it not releasing it.
/opt/splunkforwarder/bin/splunk -version
Splunk Universal Forwarder 6.3.3 (build f44afce176d0)
I am on 6.3.3 but I have seen thie behavior on 6.4x as well. Any idea what is going on here? Getting hounded by our Java support guys saying this isn't "permitted of Splunk".
↧