My 2 cents, if the log rotation is clean ( I mean not using a logtruncate option that may cause duplicates), then it's not a problem to have splunk monitor the files and the rotated files. As splunk has a mechanism to read the first lines of a file and detect if it's a new file or a rotated one. The advantage is that if the file rotate before splunk had time to read the last events, then it will be able to continue on the rotated one. ... View more

jcoates, thanks for the reply. The issue was that the AMP dashboards were showing as empty for the 29th, 30th and 1st (end of Sept and start of Oct), even though there was data coming into Splunk server. But, the 28th WAS showing data in the AMP Dashboards for the Cisco Ironport WSA Add-On. But, I have been working with Cisco TAC on this so I think we have it covered. Thanks Again, Matt ... View more