I've read all the suggestion on importing bash history logs and tried variation of fschange, followTail and ignoreOlderThan.
For user logs this works just fine:
[monitor:///home/*/.bash_history]
disabled = false
sourcetype = bash_history
index = linux
followTail = 1
ignoreOlderThan = 1d
For root logs. Nothing works unless I monitor the whole file and that has no value to me since Splunk forwards the full log file each time a change occurs. So if the history size is 1000, then 1000 events are sent to splunk if I run a single "who" command. Any suggestions?