We have an issue where for some reason, Splunk stops reading a log file in a particular Data Input folder. The log is set to roll hourly.
If we disable the Data Input, and then Re-Enable it, it starts reading the log again (which is probably the next log).
We have a scheduled task that runs every hour to determine if it has captured any data in the past hour. If it has not, we receive an email letting us know it is hung up and we have to Disable/Enable again.
Is there a way to do so via a script?
We are working to figure out what is wrong and have a case open, but are looking for an intermediary solution.