If I'm monitoring files that are being rotated with an added timestamp, and the rotated files are being compressed after a couple of days, could this cause reindexing of log events?
I know that Splunk supports reading compressed files, and that as long as you don't add `crcSalt=`, log-rotating with a timestamp would not cause reindexing. However, the doc state that adding data to a compressed file would in fact cause reindexing ([link][1]). This confuses me. If Splunk decompresses files to read the checksum (to check if the log file have already been indexed or not), why could adding data to a compressed file cause reindexing? If Splunk doesn't read checksums in that way for compressed files, how can we be sure normal rotated log files with delayd compression can't cause reindexing as well?
Hope someone can explain this to me. :)
[1]: http://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Monitorfilesanddirectories#How_Splunk_Enterprise_monitors_archive_files