On a Windows 2012 Server the daily IIS log is held open and sits at "0" bytes in size throughout the day. It appears to be only written to disk at the daily rollover time, typically 10am at which time is becomes "x" bytes in size. Does this mean that Splunk will only receive the total daily events at this time. i.e. delayed by 24 hours. If this is the case how does Splunk Universal Forwarder send the traffic? does it send the entire file in 1 go or does it potentially send the entire file line by line until complete, thus possibly sending large amounts of network traffic at rollover time? ... View more