https://community.splunk.com/t5/Monitoring-Splunk/Monitor-splunk-file-after-restart/m-p/377235#M5813 <P>as per the document, during restart ,If the file or directory is not present on start, Splunk Enterprise checks for it every 24 hours from the time of the last restart. </P> <P>yes, as per the document file will be ignored until next check. not tested.</P> <P>if you are monitoring the existing directory, newly created file under this monitored directory will be monitored immediately.</P> Fri, 27 Jul 2018 12:39:20 GMT thambisetty 2018-07-27T12:39:20Z https://community.splunk.com/t5/Monitoring-Splunk/Monitor-splunk-file-after-restart/m-p/377234#M5812 <P>On the Splunk docs it is given as </P> <P><STRONG>How Splunk Enterprise handles monitoring of files during restarts</STRONG><BR /> When the Splunk server is restarted, it continues processing files where it left off. It first checks for the file or directory specified in a monitor configuration. If the file or directory is not present on start, Splunk Enterprise checks for it every 24 hours from the time of the last restart. The monitor process scans subdirectories of monitored directories continuously</P> <P>Suppose if I deployed inputs to monitor a file and restarted splunk after deploying and If the monitored file was not created yet. Does splunk enterprise check for that file only after 24 hours to reads the file. What if the file created after few minutes after restart. Will it be ignored until 24 hrs of restart.</P> <P>Suppose I gave wildcard for file name, Does it behave same. I can see newly created file was read by splunk immediately when it created for wild card file names.</P> Fri, 27 Jul 2018 11:35:27 GMT https://community.splunk.com/t5/Monitoring-Splunk/Monitor-splunk-file-after-restart/m-p/377234#M5812 ankithreddy777 2018-07-27T11:35:27Z https://community.splunk.com/t5/Monitoring-Splunk/Monitor-splunk-file-after-restart/m-p/377235#M5813 <P>as per the document, during restart ,If the file or directory is not present on start, Splunk Enterprise checks for it every 24 hours from the time of the last restart. </P> <P>yes, as per the document file will be ignored until next check. not tested.</P> <P>if you are monitoring the existing directory, newly created file under this monitored directory will be monitored immediately.</P> Fri, 27 Jul 2018 12:39:20 GMT https://community.splunk.com/t5/Monitoring-Splunk/Monitor-splunk-file-after-restart/m-p/377235#M5813 thambisetty 2018-07-27T12:39:20Z https://community.splunk.com/t5/Monitoring-Splunk/Monitor-splunk-file-after-restart/m-p/377236#M5814 <P>How it works , if you use the wild card in file or directory name. such as</P> <P>[monitor.....././..../abc*</P> <P>Does the file with name "abcd" which is created after few hours of restart will be ignored until 24 hours? OR Is there any exception for this scenario? </P> Fri, 27 Jul 2018 13:52:00 GMT https://community.splunk.com/t5/Monitoring-Splunk/Monitor-splunk-file-after-restart/m-p/377236#M5814 ankithreddy777 2018-07-27T13:52:00Z https://community.splunk.com/t5/Monitoring-Splunk/Monitor-splunk-file-after-restart/m-p/377237#M5815 <P>if there is any exception in this scenario , that would be described in the doc. </P> Fri, 27 Jul 2018 13:59:52 GMT https://community.splunk.com/t5/Monitoring-Splunk/Monitor-splunk-file-after-restart/m-p/377237#M5815 thambisetty 2018-07-27T13:59:52Z https://community.splunk.com/t5/Monitoring-Splunk/Monitor-splunk-file-after-restart/m-p/377238#M5816 <P>Whenever a file is created or modified, splunk will monitor it immediately.</P> Fri, 27 Jul 2018 14:24:36 GMT https://community.splunk.com/t5/Monitoring-Splunk/Monitor-splunk-file-after-restart/m-p/377238#M5816 sudosplunk 2018-07-27T14:24:36Z