I believe I have an application that is unusually slow in writing its events to a log file. Events are multi-lined but the application (I believe) takes several seconds to write each line.
If I were monitoring this file with Universal forwarder, would this explain some improper linebreaking? If so, is there any setting that can be configured that will tell Splunk to allow X amount of time for the event to complete writing? If not, I could delay indexing of that log file until it is complete.
I have tested indexing of a complete file which writes just fine.