@sduraisamy : best practice is to NOT touch any file under /etc/system/default, you can either make changes to /etc/system/local or create a custom-app if needed...
Above configs do not work on forwarders, you should configure them on indexers...
this should work on your indexers...
SHOULD_LINEMERGE = true
NO_BINARY_CHECK = true
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N
TIME_PREFIX = ^\[\#\|
MAX_TIMESTAMP_LOOKAHEAD = 23
-if you think splunk is closing the file while the log is still updating, try something like this in your inputs.conf on your forwarder...
time_before_close = <integer>
* The amount of time, in seconds, that the file monitor must wait for
modifications before closing a file after reaching an End-of-File
* Tells the input not to close files that have been updated in the
past 'time_before_close' seconds.
* Default: 3.
... View more