From Splunk Wiki

Jump to: navigation, search

< Back to Best Practices

Is this file locked on Windows?

The Windows NTFS file system has many levels of file locking and blocking, which is useful for granular access and integrity controls. However it also makes it difficult to troubleshoot whether a log reader like Splunk is blocked from reading a file. Although most applications that write logs don’t do blocking locks – specifically to allow logging and backup applications to read them – that behavior is not universal.

If you are trying to read a log, and Splunk is either reporting that it cannot read the file (e.g. from a spool attempt) or simply skips it (e.g. from a directory monitor) the best tool to diagnose the problem is Process Monitor from Microsoft.

Sysinternals Website

Process Monitor is the improved version of the old sysinternals favorite, acquired by Microsoft.

Open Process Monitor and filter by “file access.” If the file appears, drill down on that file. There is a field called Share Mode, which explains what options are available for other programs to do to that file. If it does not include “Read”, then the file writer has an exclusive, blocking lock on the file.

Note that Splunk only tries periodically to read the file(s) targeted with a monitor request. Therefore if the file is being locked and unlocked periodically or with every write, you may experience long delays before Splunk can read it. Over many files, this may appear as inconsistent or sporadic indexing.

If the file is readable, and an immediate spool attempt cannot read it, check your splunkd.log for possible permission problems as your next troubleshooting step.

Personal tools
Hot Wiki Topics

About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk