I am attempting to monitor a file that is fairly large and on a UNC file share. It appears that the file only indexes up to the point at which I reboot the Splunk indexer that is monitoring the file. I am not using a universal forwarder. I configured the file input directly from a Splunk indexer/search head.
How would I make Splunk continue to monitor the file and add the data from after the Splunk reboot?
The file also grows extremely large. Growing to over 200 meg.
The source is a NetApp CIFS XML formatted log file.
Thanks in advance,
↧