SPLUNK is monitoring a directory with below configuration in inputs.conf:
[monitor:///*/*/*]
sourcetype=exampleA_sourcetype
index=exampleA_index
blacklist = \.(gz|zip)$
ignoreOlderThan = 1d
initCrcLength = 750
We had a file in the directory "example_readafile.log" in the directory on 31st August and Splunk monitored it correctly.
On 1st September, we dropped a new file with same name (example_readafile.log) that had different content in it, but it was not monitored by SPLUNK.
Can anyone please explain this behavior?
↧