I need to monitor daily reports with splunk.
However the events in the logs are constantly updated throughout the day as each event lasts a whole a day.
is there anyway to configure splunk to ensure that it does not parse the event into splunk untill the event has finished?
Hi iceokoli,
no, this is not possible using a monitor stanza in inputs.conf. A Monitor stanza will observe the file or directory constantly for new data.
But ...
You see, there are some options but out of the box this will not work the way you asked.
hope this helps ...
cheers, MuS
you're welcome. please mark this as answered by ticking the tick - thx 🙂
thanks alot