Given the way the whitelisting works, and since it appears that you're trying to index the full file, there is another way to get the result you want. You can use the regular log file monitoring rather than the fschange monitor to get the full file, with some settings for the source type. In inputs, you would: [monitor:///var/svc/manifest/] whitelist = \.xml$ sourcetype = solaris_etc index = fileint in props.conf: [solaris_etc] DATETIME_CONFIG = NONE CHECK_METHOD = entire_md5 TRUNCATE = 0 LINE_BREAKER = (?!) This should wind up looking the same, with the bonus that you won't have a poll period so the changes should be detected more quickly. ... View more

I think I found it. I had source: instead of source:: ... View more