we have a oracle logging directory with thousend .aud files for logging to Splunk.
Each day over 700 new files will be created.
We experience a heavy workload on the system caused by the splunkd process.
We think splunkd monitores ALL files and after some weeks a hugh bunch of filemonitoring threads are occuping the CPU.
How can we tell splunk not to monitor already indexed files and only have a look on new created. The closed file will never be changed anymore.
[monitor:///oracle/Q*/trace/audit/*.aud] sourcetype=oracle:audit:text whitelist = \w.+.aud ignoreOlderThan=7d index=oracle_sap disabled = false