Hello,
I have configured inputs.conf to monitor the log file on the path. Please find below details regarding same:
Problem: Every time it sends whole file to Splunk and getting duplication of alerts. Ideally it should send only new entry which has not already been sent to the indexer.
Use below additional two options in inputs.conf and check.
[monitor://(file path)]
disabled = 0
index = XXXXX
sourcetype = XXXXX
ignoreOlderThan=(non-negative integer)[s|m|h|d]
alwaysOpenFile = 1
You should happend the file or create a new file with a new name.