If I'm monitoring a very large logfile
whitelist = (myApp)\.log$
And at some point, a process rotates the file to:
If the file hasn't fully been forwarded at the time of rotation ... will:
Splunk keeps track of the offset via the fishbucket. Even if the file is moved, it should only index what it hasn't already indexed. So moving it to a different directory shouldn't be a problem.
View solution in original post