Hi @Azunai You must be using Splunk UF in your case to monitor the file configured, Splunk ensures ingest latest updates and no duplicate data being ingested (if you are interested check for fishbucket in docs). Having said that It doesn't ingest whole file for every change and only ingest new lines appended to file. Example: test.conf --------------- 03/06/2021 10:00:00 Line1-data-feed 03/06/2021 10:01:00 Line2-data-feed 03/06/2021 10:02:00 Line3-data-feed If some one changed test.conf and then file gets updated/appeded here with - 03/06/2021 10:03:00 Line4-data-feed . UF ensures only ingest this latest change. Affectively when you search in Splunk SH UI - You will get following output: 03/06/2021 10:00:00 Line1-data-feed 03/06/2021 10:01:00 Line2-data-feed 03/06/2021 10:02:00 Line3-data-feed 03/06/2021 10:03:00 Line4-data-feed --------- An upvote would be appreciated if it helps!
... View more
