Will Splunk update the index if an already indexed file is edited?

by Sreeraj   Last Updated December 07, 2017 11:00 AM

Our Splunk server indexes the audit logs from its clients. Once a week we audit these logs through a Splunk search. My question is, if someone edits the entries in a log file that is already indexed, would Splunk re-index the edited file and overwrites the old entry in the index or would Splunk keeps both the entries (one before-the-edit and one after-the-edit). What I am trying confirm here is that if I am to look at the audit logs from last month through Splunk, and it someone removes an entry the original log file only last week, would the entry that someone deleted would still appear in a Splunk search?

Tags : splunk


Related Questions



JSON vs Key-Value for Splunk

Updated May 28, 2015 02:00 AM

Reconstructing a session (or user-flow) in splunk

Updated June 02, 2015 02:00 AM

Change systemd service log location

Updated July 20, 2015 17:00 PM