**Test inputs.conf**
[monitor:///var/log/application/active/*.log]
disabled=0
sourcetype=application
index=application
[monitor:///var/log/application/rotated/*.log]
disabled=0
sourcetype=application
index=application
**Expected result:**
If I understand the CRC that Splunk calculates, when
`/var/log/application/active/application.log`
is rotated to
`/var/log/application/rotated/application.20171231.log`
the log events should not be duplicated because the first 256 bytes remained the same.
**Actual result:**
Except, my entire file is duplicated, with splund.log stating: Normal record was not found for initCrc=0xbd68c9187f8e7490.
Is this because it's in a different directory or a different inputs.conf stanza? I'm not using `initCrc=`, so I did not expect the directory to make a difference. Can anyone explain the detail I'm missing here?