I want to configure my indexer to not index the latest still populating log file in a directory, what the best way of doing that, if someone can point me in the right direction.
In relation to Kristian's update message below:
a) you have a directory that you monitor (not specific files in it)?
Yes, a directory that contains logs for the same application.
b) you want to index the files in the directory, but not while the application/process is still updating that logfile?
Yes, exactly what I'm trying to do!
c) once the application/process starts on a new file, you want to index the one that was just closed
Yes, I want to index all files that are closed and are no longer being written to.
d) my current file is called RE-11092012-11:15:31.log
e) my finished files are called RE-11092012-11:15:31.log --- i.e. Unchanged when closed
f) my [monitor] stanza looks like
[monitor:///opt/splunk/var/RE]
sourcetype = re
index = re
whitelist = RE_\d{8}_\d\d:\d\d:\d\d.log
recursive = false
g) My log is from system/application a Custom made application built from the ground up.
... View more