I'm having a problem getting Splunk to monitor an active IIS log. When I look at the SplunkD log, I see the following errors:
05-17-2012 16:55:52.503 -0400 WARN FileClassifierManager - The file 'D:LOGSMSFTPSVC1ex120517.log' is invalid. Reason: binary 05-17-2012 16:55:52.503 -0400 INFO TailingProcessor - Ignoring file 'D:LOGSMSFTPSVC1ex120517.log' due to: binary
When I open the log file, I see normal text, however there is a bunch of white space at the bottom of the file. I assume this has to due with IIS still writing to the file.
How can I get Splunk to read this active log file so we can get real-time data?
asked 17 May '12, 14:03
In props.conf, put
This assumes that the "offending" file has a sourcetype that starts with iis. Feel free to substitute a source specification instead of the sourcetype.
answered 17 May '12, 14:54