Yeah, they will likely all have the same first line as it is usually:
[11/12/06 00:00:01] ID=AGENT (info) Log file rollover initiated...
Of course the timestamp is different.
The thing is, it's been indexing these files for months and we've never had any issues. Now all of a sudden it stopped. And actually it looks like it hasn't stopped completely as yesterday and the day before it indexed a half-dozen or so lines from the file but that's it. (Usually there are hundreds of lines or more)
I've tried restarting splunk on the server and that didn't seem to affect anything.
... View more