https://community.splunk.com/t5/Getting-Data-In/Don-t-forward-old-IIS-Logs-to-Splunk/m-p/538784#M90281 <P>This may help..</P><P>1. If the file is older than 2 days we can use&nbsp;&nbsp;ignoreOlderThan&nbsp;=&nbsp;2d in inputs.conf in forwarder.</P><P>2. Please check the below configuration is in props.conf in HF/Indexer.</P><P>[iis]</P><P>MAX_DAYS_AGO=2</P><P>&nbsp;</P> Fri, 05 Feb 2021 15:12:08 GMT saravanan90 2021-02-05T15:12:08Z https://community.splunk.com/t5/Getting-Data-In/Don-t-forward-old-IIS-Logs-to-Splunk/m-p/538779#M90279 <P>Hello All!</P><P>I am configuring Splunk in different servers to send the IIS Logs. I am doing it by adding the IIS Log Folder as a Data Input -&gt; Files &amp; Directories.&nbsp;</P><P>But in the IIS Log File there is old Logs, and I only want that send to splunk Logs from no more that two days.&nbsp;</P><P>I already configured in the .props.config the&nbsp;MAX_DAYS_AGO=2, but it doesn't work.&nbsp;</P><P>I have tried in these ways:&nbsp;&nbsp;</P><P>With the file in ...\etc\system\local\props.config&nbsp;</P><P><STRONG>[iis]</STRONG><BR /><STRONG>MAX_DAYS_AGO=2</STRONG></P><P>---------------- Didn't work</P><P><STRONG>[default]</STRONG><BR /><STRONG>MAX_DAYS_AGO=2</STRONG></P><P>------------------Didn't work&nbsp;</P><P>Changing the Default in the ..\etc\system\default\props.config</P><P><STRONG>[default]</STRONG><BR /><STRONG>MAX_DAYS_AGO=2</STRONG></P><P>------------------Didn't work&nbsp;</P><P><SPAN>Restarting the Splunk service every time when I made the change&nbsp;</SPAN></P><P>Could somebody say me what I am missing?&nbsp;</P><P>Thanks&nbsp;</P><P>&nbsp;</P> Fri, 05 Feb 2021 14:53:04 GMT https://community.splunk.com/t5/Getting-Data-In/Don-t-forward-old-IIS-Logs-to-Splunk/m-p/538779#M90279 daymar_23 2021-02-05T14:53:04Z https://community.splunk.com/t5/Getting-Data-In/Don-t-forward-old-IIS-Logs-to-Splunk/m-p/538784#M90281 <P>This may help..</P><P>1. If the file is older than 2 days we can use&nbsp;&nbsp;ignoreOlderThan&nbsp;=&nbsp;2d in inputs.conf in forwarder.</P><P>2. Please check the below configuration is in props.conf in HF/Indexer.</P><P>[iis]</P><P>MAX_DAYS_AGO=2</P><P>&nbsp;</P> Fri, 05 Feb 2021 15:12:08 GMT https://community.splunk.com/t5/Getting-Data-In/Don-t-forward-old-IIS-Logs-to-Splunk/m-p/538784#M90281 saravanan90 2021-02-05T15:12:08Z https://community.splunk.com/t5/Getting-Data-In/Don-t-forward-old-IIS-Logs-to-Splunk/m-p/538788#M90282 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/211208">@saravanan90</a>&nbsp;</P><P>Sorry, but I am new using splunk. So what do you mean by&nbsp;<SPAN>HF/Indexer?&nbsp;</SPAN></P><P>My local props.config looks like:&nbsp;</P><P>[iis]<BR />MAX_DAYS_AGO=2<BR />TRANSFORMS-null = setnull,setNotFound</P><P>And under what label do I have to put the&nbsp;<SPAN>ignoreOlderThan&nbsp;=&nbsp;2d in my local inputs.conf?&nbsp;</SPAN></P><P><SPAN>Thanks for your reply.&nbsp;</SPAN></P> Fri, 05 Feb 2021 15:35:00 GMT https://community.splunk.com/t5/Getting-Data-In/Don-t-forward-old-IIS-Logs-to-Splunk/m-p/538788#M90282 daymar_23 2021-02-05T15:35:00Z https://community.splunk.com/t5/Getting-Data-In/Don-t-forward-old-IIS-Logs-to-Splunk/m-p/538791#M90284 <P>In inputs.conf we configure the file which needs to be monitored as below. We can add the "ignoreOlderThan&nbsp;=&nbsp;2d" as below in inputs.conf so that it will exclude the files which are older than 2 days.</P><P>[monitor://path_to_logfile.log]<BR />disabled = false<BR />index = iis<BR />sourcetype = iis<BR />crcSalt = &lt;SOURCE&gt;<BR /><STRONG>ignoreOlderThan&nbsp;=&nbsp;2d</STRONG></P><P>&nbsp;</P><P>If we need to go through each individual events and ignore the data then we can add them where it is being parsed. If we are using intermediate Heavy forwarder for parsing, then configure here. If the logs being collected are sent directly to indexers then we can configure the below in indexers.</P><P>props.conf</P><P><SPAN>[iis]</SPAN><BR /><SPAN>MAX_DAYS_AGO=2</SPAN></P> Fri, 05 Feb 2021 15:48:46 GMT https://community.splunk.com/t5/Getting-Data-In/Don-t-forward-old-IIS-Logs-to-Splunk/m-p/538791#M90284 saravanan90 2021-02-05T15:48:46Z