When initially set up my splunk install is set to capture only the most recent version of a log:
/path/to/log/dir/logfile.
Well, sometimes, due to maintenance, etc., Splunk is shut off and when restarted I have to go through the process of reloading (via oneshot) the data from logfile.1 logfile.2 logfile.3 . . . to get caught up.
On systems I've set up, I just have inputs.conf configured for /path/to/log/dir with a whitelist on logfile*$
What will happen if I change the previous configuration? Will it re-index all the previous logfile.\d+$ files or is it self-aware enough to not do that?
Normally splunk will not re-index a file it has already seen (as it keeps track of what has already been indexed in a special index called the fishbucket
).
http://docs.splunk.com/Documentation/Splunk/6.0/Data/MonitorFilesAndDirectories#How_monitor_works_in...
http://docs.splunk.com/Documentation/Splunk/6.0/Data/HowLogFileRotationIsHandled
http://wiki.splunk.com/Community:HowSplunkReadsInputFiles
http://blogs.splunk.com/2008/08/14/what-is-this-fishbucket-thing/
/K
Normally splunk will not re-index a file it has already seen (as it keeps track of what has already been indexed in a special index called the fishbucket
).
http://docs.splunk.com/Documentation/Splunk/6.0/Data/MonitorFilesAndDirectories#How_monitor_works_in...
http://docs.splunk.com/Documentation/Splunk/6.0/Data/HowLogFileRotationIsHandled
http://wiki.splunk.com/Community:HowSplunkReadsInputFiles
http://blogs.splunk.com/2008/08/14/what-is-this-fishbucket-thing/
/K