I assume your talking about the source log files?
It all depends on what you are trying to do and how your logs are generated.
Are they rolling, appended to or created freshly each time? That would determine what sort of input you should be using.
As you are using a monitor statement there are no parameters to do anything with the file once it has been read, it just monitors (ie. reads) the file for new events. It is a non-destructive process.
If your looking to delete the file once it is read they you need to look at using a different type of input stanza that has a move_policy option such as batch ( http://docs.splunk.com/Documentation/Splunk/6.0.1/admin/inputsconf ).
move_policy = sinkhole
- IMPORTANT: This attribute/value pair is required. You must include
"move_policy = sinkhole" when defining
batch inputs.
- This loads the file destructively.
- Do not use the batch input type for files you do not want to consume
destructively.
- As long as this is set, Splunk won't keep track of indexed files. Without
the "move_policy = sinkhole" setting,
it won't load the files destructively
and will keep a track of them.
Normally you would use that for uniquely logs that are placed into your filesystem by another process ie. ftp-ed in etc etc.
