Splunk will not release a file handler immediately when the monitored file changes its name. According to the parameter time_before_close, splunk will only close the fd when the difference between the current EOF time and the prior EOF time is larger than 3 seconds(default).
According to @thirusama 's log name, I believe in his/her case, the log rotation policy should be 'rename and recreate'. If so, it means current log file will be renamed when it hits the rotation threshold. When rotating, Splunk will not close the fd immediately and switch to the new file if the forwarder functions as it says in Splunk Docs. And this mechanism will let Splunk collect events when log file rotates.
... View more