In all likelihood, this is happening because the log writer is buffering content before appending it to the file you are monitoring and occasionally pausing mid-event for longer than the default 'time_before_close' duration (3s), as defined in inputs.conf.spec:
time_before_close = <integer>
* Modtime delta required before Splunk can close a file on EOF.
* Tells the system not to close files that have been updated in past <integer> seconds.
* Defaults to 3.
The solution here is to adjust 'time_before_close' (on a per-stanza basis in inputs.conf) so that Splunk's tailing processor will only close a given file after the longest pause that the log writer can take.
For example, if you know that the log writer can pause for up to 5 seconds mid-event, adjust 'time_before_close' to a value that can comfortably accomodate that, say 10.
... View more