Hi @krutika_ag As per Splunk docs: If you add new data to an existing archive file, the forwarder reprocesses the entire file rather than just the new data. This can result in event duplication. thus, to avoid duplication, Splunk monitors whole archive files and does not support single file monitoring. so, you/we can not monitor a single file inside an archive. what i would like to suggest you is that, you can ask the developers/app team who creates that archive file to put it in a separate archive file everytime when there is an update to the archive file. i am still not much sure of this suggestion, but this should be possible as per my understanding, thanks.
... View more