Our Splunk monitoring and log file located on a network share. New line is always added into bottom of the file. Everytime when there is new line added into the log, the entire log file got injected again, my input.conf as below
[monitor://\\nfs1\logs$\audit.xml]
disabled = 1
index = sservice
sourcetype = app
Any suggestions on where am I doing it wrong?
Should I use followTail setting? in Splunk documentation website it says "DO NOT leave followTail enabled in an ongoing fashion" so I didnt try it.
↧