[All this is using CLI]
I do add oneshot for 3 log files one after the other.
Then I do an immediate search on the last log file which fails.
If I wait for a few seconds, the search works. My question is, is there a way for me to deterministically wait before beginning searches? I want to avoid adding sleeps as they may not work depending on how large the log file is.
Thanks!
One way would be to query the tailing processor (https://localhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus). Here is more detail that links to a python script that shows how to do this: http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/