Thank you. In fact I am not changing the existing content of my jason file, i am always appending new records. But the append is only a logical append, there are scenarios ( for me) where new events might get inserted somewhere before the end of the file. I think this is the core of the issue, I had a notion that splunk might index based on the logical changes to a jason file ( using keys, values) but based on what you are saying it appears that it does not work this way. Normally my file updates are inserted to the end of the file anyway, so I'll certainly try out the tail scheme. Thanks for that pointer.
... View more