Is it possible to have Splunk to index all the data in a file and when the file is changed to remove the currently indexed data in splunk and replacing it with the new data in the file.
I do not need the history of the data and am just interested in the current status of the test.
The issue is that every time an event is written to a file it is being indexed even though one element has changed.
ie.
Original file content
"test": "A", "status": "Pass"
"test": "B", "status": "Pending"
New file content. Tests B has change from Pending to Failed
"test": "A", "status": "Pass"
"test": "B", "status": "Failed"
... View more