I have to index the historic data along with real time data from the log file. May I know from which point the indexing starts; whether it starts ingesting old data first and latest data at the end, or vice versa? .
thank you, Suppose the UF is restarted ,May I know how Splunk remember the line where it got stopped previously to start ingestion from that point. If not will it start ingestion again from the beggining of the file?
There is a "magic" index called fishbucket. All of the pointers for remembering the last location for files are in it. Splunk does not forget and reindex.
