<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Index only new lines in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Index-only-new-lines/m-p/411045#M94522</link>
    <description>&lt;P&gt;Hi.&lt;/P&gt;

&lt;P&gt;I have a requirement of a client, he has a file that indexes every day, but that file is modified at different times, for example modifications to lines 8 and 10000 at 20:00hrs, after modifications of lines 2 and 10100 at  22:00 hrs , Is it possible to index only the lines that have been modified?, at 2:00 am the file not change more.&lt;/P&gt;</description>
    <pubDate>Wed, 27 Jun 2018 13:23:06 GMT</pubDate>
    <dc:creator>grivera_kudaw</dc:creator>
    <dc:date>2018-06-27T13:23:06Z</dc:date>
    <item>
      <title>Index only new lines</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Index-only-new-lines/m-p/411045#M94522</link>
      <description>&lt;P&gt;Hi.&lt;/P&gt;

&lt;P&gt;I have a requirement of a client, he has a file that indexes every day, but that file is modified at different times, for example modifications to lines 8 and 10000 at 20:00hrs, after modifications of lines 2 and 10100 at  22:00 hrs , Is it possible to index only the lines that have been modified?, at 2:00 am the file not change more.&lt;/P&gt;</description>
      <pubDate>Wed, 27 Jun 2018 13:23:06 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Index-only-new-lines/m-p/411045#M94522</guid>
      <dc:creator>grivera_kudaw</dc:creator>
      <dc:date>2018-06-27T13:23:06Z</dc:date>
    </item>
    <item>
      <title>Re: Index only new lines</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Index-only-new-lines/m-p/411046#M94523</link>
      <description>&lt;P&gt;No, Splunk cannot be configured to monitor individual changes inside a file. Just the entire file, or new lines at the end of a file.&lt;/P&gt;

&lt;P&gt;So the only way to do this would be to write some kind of script that detects the changes and writes those to a new file that is monitored by Splunk.&lt;/P&gt;</description>
      <pubDate>Wed, 27 Jun 2018 15:44:44 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Index-only-new-lines/m-p/411046#M94523</guid>
      <dc:creator>FrankVl</dc:creator>
      <dc:date>2018-06-27T15:44:44Z</dc:date>
    </item>
  </channel>
</rss>

