I am trying to monitor several individual files for changes.
For example, I will watch "FILE1.log"
If that file is appended from 10 lines to 15 lines, Splunk will pick up 5 more lines (good)
If someone does a save-as to "FILE1.log" with an appended version that is 21 lines long, Splunk will pick up 6 more lines (good)
If someone Drag/Drops a new "FILE1.log" that has the same contents as the original 21 line "FILE1.log" into the FILE1 monitored location, the Splunk indexer now shows 42 results.
Apparently, even though the file contents and name are the same, the process of replacing the file with a new one is triggering a complete re-index.
Here is my use case, in case there is a better way of going about this:
I am tasked with ingesting text-based syslog files from several external computer systems.
These files are provided to me on a CD each week.
Each logfile name (ex PC1.log) is the same each week -- the file is just appended.
So on month 1, PC1.log will have results from Jan 1-31, 2015.
On month 2, PC1.log will have results from Jan 1 - Feb 28, 2015.
And so on.
To ingest these logs, I:
Set up an individual file monitor for each new system.
Drag the contents of the CD into the folder containing the monitored files.
Select "Overwrite" when Windows informs me that there are files in the destination directory with the same name.
... View more