If I'm monitoring a very large logfile
[monitor:///home/me/logs]
whitelist = (myApp)\.log$
/home/me/logs/myApp.log
And at some point, a process rotates the file to:
/home/me/logs/OLD/myApp.log
If the file hasn't fully been forwarded at the time of rotation ... will:
Thank you.
If
Splunk keeps track of the offset via the fishbucket. Even if the file is moved, it should only index what it hasn't already indexed. So moving it to a different directory shouldn't be a problem.
Splunk keeps track of the offset via the fishbucket. Even if the file is moved, it should only index what it hasn't already indexed. So moving it to a different directory shouldn't be a problem.