Hi

We have a Windows machine that writes events on a log with the .txt extension, monitored by the Splunk Universal Forwarder (monitor stanza). Every time the file changes, Splunk re-read it all and writes this to the splunkd.log:

12-03-2013 15:12:33.432 -0200 INFO  WatchedFile - File too small to check seekcrc, probably truncated.  Will re-read entire file='D:\path\to\file\file.txt'.
12-03-2013 15:12:33.432 -0200 INFO  WatchedFile - Will begin reading at offset=0 for file='D:\path\to\file\file.txt'.

We've noticed that this happens to all .txt files that we try to monitor with Splunk. It's like Splunk have a config to deal with .txt files on a different way.

We've tried to setup an props.conf with:

[source::D:\\path\\to\\file\\file.txt]
CHECK_METHOD = endpoint_md5

But Splunk still duplicates the events.

Have anyone seen something like? There is a way to config Splunk to not re-read .txt files on each update?

Thanks!
Julio