Hello all, One of our home grown apps copies logs to a directory monitored by Splunk once a day around midnight. Splunk, however, will not index the events in the log if they contain a past time stamp. The lines in the log look similar to this: 12/18/2021,00:00:20,UDP,Rcv,10.132.133.29,app-measurement.com These lines are skipped, however, if the line looks like this it will be indexed: UDP,Rcv,10.132.133.29,app-measurement.com It appears having a date and time in the log is causing the forwarder to not forward the data. Here's the input.conf for the Splunk app that handles the files: [monitor://C:\Logs\CustomApp] disabled = 0 index = customapp sourcetype = customappevents recursive = false blacklist = \.tmp$ crcSalt = <SOURCE> Thanks in advance!
... View more