Solved: Does fschange use inotify / ReadDirectoryChangesW ...

southeringtonp · ‎11-10-2010

Does Splunk make full use of operating system specific features when monitoring for changed files?

In particular, I'm thinking of the inotify subsystem on Linux, and ReadDirectoryChangesW() or similar when running on Windows.

If these are used, how does that impact the pollPeriod setting in inputs.conf? Can pollPeriod be omitted or set to a significantly higher value to improve performance?

I'm primarily thinking of fschange, but the question could also be applicable to monitor:// inputs.

gkanapathy · ‎11-11-2010

It does not. There has been some talk I have heard from Splunk engineers that (on platforms where this is applicable) that the input processors may some day be enhanced to use OS notifications like this, but the current ones do not.

View solution in original post

gkanapathy · ‎11-11-2010

It does not. There has been some talk I have heard from Splunk engineers that (on platforms where this is applicable) that the input processors may some day be enhanced to use OS notifications like this, but the current ones do not.

Does fschange use inotify / ReadDirectoryChangesW or similar?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases