I have set up a universal forwarder to monitor my
server logfile. The file is written in XML format
and thus has a header and footer of:
<?xml version="1.0" encoding="UTF-8"?><rps_logfile version="1.0">
As the server produces log output, it appends to the file by
backing up over the footer, writing the new entry, and re-writing
This causes the universal forwarder to send redundant information
and the splunkd receiving the data seems to get confused sometimes.
What are my options for having the header & footer ignored or
having the forwarder send only the truly new information?
I decided to indulge in a preprocessing approach.