I have a Powershell script that is writing data about sessions for an application to a file every 5 minutes so the file timestamp is changing, but Splunk only pulls in changed or new sessions. I was hoping Splunk would pull in all the data every 5 minutes so that I could get a good point-in-time count of the number of sessions and what they looked like at that time. Does anyone know if I can force Splunk to ingest the entire file when it changes? Here is the code I use to write a powershell object to a Splunk friendly file in case anyone is interested. "Id" is where the line break should be.
($obj | fl | Out-String).Trim() -replace " n r n","" -replace " r n","," -replace " :","=" -replace " +"," " -replace "(?m)^Id"," nId" | Set-Content $file
... View more