I have a large number of Universal Forwarders that forward Apache access logs. On my systems, the apache access logs are named -access.log and/or -ssl-access.log. On a regular basis, those files are rotated to -access.log.1 and/or -ssl-access.log.1. The .1 becomes a .2 after the next rotation, etc...
To simplify our environment a bit, I want to change our apache app to index "-access.log" or maybe even "*access". If I do the latter ("access") and restart the forwarder, will Splunk re-index all of the access log files? I do not want it to.
The fishbucket will keep track of what files have been indexed, and I don't think that it will care too much regarding the exact [monitor] stanza wording. Determining if a file has been read or not is more of an issue about checksums of the actual file(s) being monitored.
One thing, though. If you create a common [monitor] for <hostname>-access.log and <hostname>-ssl-access.log, they would have to share the same sourcetype, which can be fine, if the contents (read: columns) of the file are the same. Have a read here as well;
Thank you for the helpful reply. Yes, I understand they would be sharing a common sourcetype, and I am fine with that. I was more concerned with duplicate entries, which from you describe shouldn't be an issue.