if the event doesn't have the bytes associated to the file splunk can not provide that detail. for example if the event is, file: temp.txt, 45 bytes, created today, file closed. Then in this scenario that contains knowledge about file temp.txt of size 45 bytes and it's closed. Then Splunk can retrieve and Alert/report etc can be created. What we need to retrieve in this case bytes must exist in 'events' / _raw data. Hope this clarifies.
... View more