We have a Windows machine that writes events on a log with the .txt extension, monitored by the Splunk Universal Forwarder (monitor stanza). Every time the file changes, Splunk re-read it all and writes this to the splunkd.log:
12-03-2013 15:12:33.432 -0200 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='D:\path\to\file\file.txt'. 12-03-2013 15:12:33.432 -0200 INFO WatchedFile - Will begin reading at offset=0 for file='D:\path\to\file\file.txt'.
We've noticed that this happens to all .txt files that we try to monitor with Splunk. It's like Splunk have a config to deal with .txt files on a different way.
We've tried to setup an props.conf with:
[source::D:\\path\\to\\file\\file.txt] CHECK_METHOD = endpoint_md5
But Splunk still duplicates the events.
Have anyone seen something like? There is a way to config Splunk to not re-read .txt files on each update?