I found a solution:
[monitor:///LOGS/dtjlogs]
disabled = false
host =
host_regex =
host_segment = 3
index = default
sourcetype =
[monitor:///LOGS/dtjlogs/*/*.log]
disabled = false
host =
host_regex =
host_segment = 3
index = default
sourcetype =
followTail = 1
actually the two [monitor] are monitoring same files
The only difference is the followTail=1
I found if I name the two monitor the same, only the first stanza works
So just work-around by naming them slightly different.
Now any new files will be picked up by the followTail=0 stanza
and appended(tailing) events will be picked up by followTail=1 stanza.
Ha, what a solution.
... View more