On the Splunk docs it is given as
How Splunk Enterprise handles monitoring of files during restarts
When the Splunk server is restarted, it continues processing files where it left off. It first checks for the file or directory specified in a monitor configuration. If the file or directory is not present on start, Splunk Enterprise checks for it every 24 hours from the time of the last restart. The monitor process scans subdirectories of monitored directories continuously
Suppose if I deployed inputs to monitor a file and restarted splunk after deploying and If the monitored file was not created yet. Does splunk enterprise check for that file only after 24 hours to reads the file. What if the file created after few minutes after restart. Will it be ignored until 24 hrs of restart.
Suppose I gave wildcard for file name, Does it behave same. I can see newly created file was read by splunk immediately when it created for wild card file names.
as per the document, during restart ,If the file or directory is not present on start, Splunk Enterprise checks for it every 24 hours from the time of the last restart.
yes, as per the document file will be ignored until next check. not tested.
if you are monitoring the existing directory, newly created file under this monitored directory will be monitored immediately.
How it works , if you use the wild card in file or directory name. such as
[monitor.....././..../abc*
Does the file with name "abcd" which is created after few hours of restart will be ignored until 24 hours? OR Is there any exception for this scenario?
Whenever a file is created or modified, splunk will monitor it immediately.
if there is any exception in this scenario , that would be described in the doc.