https://community.splunk.com/t5/Getting-Data-In/Handle-log-rolling-and-index-yesterday-s-log-file/m-p/740961#M117783 <P>You simply can't. A regex matches a pattern. The pattern is static. It can contain some "recursive" elements but you can't put something like "today's date" as part of the pattern.</P> Wed, 05 Mar 2025 19:52:09 GMT PickleRick 2025-03-05T19:52:09Z https://community.splunk.com/t5/Getting-Data-In/Handle-log-rolling-and-index-yesterday-s-log-file/m-p/740743#M117749 <DIV class=""><DIV class=""><P>we have a scenario where we roll logs everyday. we want Splunk to index log file for yesterday only. We don't want to ingest todays log files. what specific setting d i require in&nbsp; my input. Conf file to only ingest yesterdays data.&nbsp;<BR /><BR />ignoreOlderThan = 1d&nbsp; also ingests todays logfiles which i do not want to.<BR /><BR /></P></DIV></DIV><DIV class=""><DIV class=""><DIV class=""><DIV>&nbsp;</DIV></DIV><DIV class=""><DIV><DIV class=""><DIV class=""><DIV class="">&nbsp;</DIV></DIV></DIV></DIV></DIV></DIV></DIV> Tue, 04 Mar 2025 11:34:46 GMT https://community.splunk.com/t5/Getting-Data-In/Handle-log-rolling-and-index-yesterday-s-log-file/m-p/740743#M117749 shabamichae 2025-03-04T11:34:46Z https://community.splunk.com/t5/Getting-Data-In/Handle-log-rolling-and-index-yesterday-s-log-file/m-p/740755#M117750 <P>I think I'd try to simply use logrotate or some custom script to move the log from yesterday to another directory from which they would normally be ingested&nbsp; with monitor input.</P> Tue, 04 Mar 2025 12:12:49 GMT https://community.splunk.com/t5/Getting-Data-In/Handle-log-rolling-and-index-yesterday-s-log-file/m-p/740755#M117750 PickleRick 2025-03-04T12:12:49Z https://community.splunk.com/t5/Getting-Data-In/Handle-log-rolling-and-index-yesterday-s-log-file/m-p/740765#M117753 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/239337">@shabamichae</a>&nbsp;</P><P>What do your monitor stanzas currently look like for monitoring these files? Do the logs roll to a "logName.log.1" format (.1 being yesterday)?</P><P>If so. you may be able to update your existing monitor stanzas to add a whitelist (see&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/9.4.0/Data/Monitorfilesanddirectorieswithinputs.conf#:~:text=whitelist%20%3D%20%3Cregular%20expression%3E" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.4.0/Data/Monitorfilesanddirectorieswithinputs.conf#:~:text=whitelist%20%3D%20%3Cregular%20expression%3E</A>)</P><LI-CODE lang="markup">whitelist = &lt;regular expression&gt; If set, the Splunk platform monitors files whose names match the specified regular expression. ## inputs.conf ## [monitor:///var/log/*] index=syslog sourcetype=example ..etc.. whitelist = .*\.1$</LI-CODE><P>Also check out&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/Data/Specifyinputpathswithwildcards" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/Data/Specifyinputpathswithwildcards</A></P><P>Please let me know how you get on and consider adding karma to this or any other answer if it has helped.<BR />Regards</P><P>Will</P><P>&nbsp;</P> Tue, 04 Mar 2025 14:00:17 GMT https://community.splunk.com/t5/Getting-Data-In/Handle-log-rolling-and-index-yesterday-s-log-file/m-p/740765#M117753 livehybrid 2025-03-04T14:00:17Z https://community.splunk.com/t5/Getting-Data-In/Handle-log-rolling-and-index-yesterday-s-log-file/m-p/740820#M117760 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/170906">@livehybrid</a>&nbsp;<BR />Thanks for your response,&nbsp;<SPAN>below is a sample log file names</SPAN></P><P>server.log.20250303.1<BR />server.log.20250303.10<BR />server.log.20250303.11<BR />server.log.20250303.12<BR />server.log.20250303.13<BR />server.log.20250303.14<BR />server.log.20250303.15<BR /><BR /></P> Wed, 05 Mar 2025 12:21:43 GMT https://community.splunk.com/t5/Getting-Data-In/Handle-log-rolling-and-index-yesterday-s-log-file/m-p/740820#M117760 shabamichae 2025-03-05T12:21:43Z https://community.splunk.com/t5/Getting-Data-In/Handle-log-rolling-and-index-yesterday-s-log-file/m-p/740918#M117773 <P><SPAN>Yes i do understand would require some kind of regex , but My issue is how do i wrrite the regex&nbsp; to match the date , do i need to configure a dat.xml file to read the current date&nbsp;</SPAN></P><P><SPAN>server.log.20250303.1</SPAN><BR /><SPAN>server.log.20250303.10</SPAN><BR /><SPAN>server.log.20250303.11</SPAN><BR /><SPAN>server.log.20250303.12</SPAN><BR /><SPAN>server.log.20250303.13</SPAN><BR /><SPAN>server.log.20250303.14</SPAN><BR /><SPAN>server.log.20250303.15</SPAN></P> Wed, 05 Mar 2025 12:26:11 GMT https://community.splunk.com/t5/Getting-Data-In/Handle-log-rolling-and-index-yesterday-s-log-file/m-p/740918#M117773 shabamichae 2025-03-05T12:26:11Z https://community.splunk.com/t5/Getting-Data-In/Handle-log-rolling-and-index-yesterday-s-log-file/m-p/740961#M117783 <P>You simply can't. A regex matches a pattern. The pattern is static. It can contain some "recursive" elements but you can't put something like "today's date" as part of the pattern.</P> Wed, 05 Mar 2025 19:52:09 GMT https://community.splunk.com/t5/Getting-Data-In/Handle-log-rolling-and-index-yesterday-s-log-file/m-p/740961#M117783 PickleRick 2025-03-05T19:52:09Z