https://community.splunk.com/t5/Getting-Data-In/Stanza-for-to-ingest-logs-from-specific-date/m-p/542563#M90643 <P>The <FONT face="courier new,courier">ignoreOlderThan</FONT> setting is for monitor inputs, not <FONT face="courier new,courier">WinEventLog</FONT>.&nbsp; I'm not aware of a setting that controls how far back into the event log the forwarder will read.</P> Fri, 05 Mar 2021 14:29:04 GMT richgalloway 2021-03-05T14:29:04Z https://community.splunk.com/t5/Getting-Data-In/Stanza-for-to-ingest-logs-from-specific-date/m-p/542539#M90641 <P>Hello Team,</P><P>I want the stanza to ingest logs from a specific date in Linux or Window environment.</P><P>Currently am using windows <STRONG>(ignoreOlderThan = 365d)&nbsp;</STRONG>and the same using for Linux it's not working.</P><P><STRONG>Requirement</STRONG>: I want to ingest logs from Linux via UF and windows machines to Splunk, so I want only 356days or 180days. Can anyone share other than the above stanza?</P><P><STRONG>Example:</STRONG></P><P>&nbsp;[WinEventLog://Security]<BR />disabled = 0<BR />index = trendmicro<BR />sourcetype = %trendmicro%<BR />ignoreOlderThan = 365d<BR />whitelist = 4625,4648,4723,4728,4732,4740,4777,5031,4624,4634</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 05 Mar 2021 11:27:22 GMT https://community.splunk.com/t5/Getting-Data-In/Stanza-for-to-ingest-logs-from-specific-date/m-p/542539#M90641 phanichintha 2021-03-05T11:27:22Z https://community.splunk.com/t5/Getting-Data-In/Stanza-for-to-ingest-logs-from-specific-date/m-p/542563#M90643 <P>The <FONT face="courier new,courier">ignoreOlderThan</FONT> setting is for monitor inputs, not <FONT face="courier new,courier">WinEventLog</FONT>.&nbsp; I'm not aware of a setting that controls how far back into the event log the forwarder will read.</P> Fri, 05 Mar 2021 14:29:04 GMT https://community.splunk.com/t5/Getting-Data-In/Stanza-for-to-ingest-logs-from-specific-date/m-p/542563#M90643 richgalloway 2021-03-05T14:29:04Z https://community.splunk.com/t5/Getting-Data-In/Stanza-for-to-ingest-logs-from-specific-date/m-p/542568#M90644 <P>Hello Rich,</P><P>If that is not the case, can you please which stanza can I use for my question?</P> Fri, 05 Mar 2021 15:11:59 GMT https://community.splunk.com/t5/Getting-Data-In/Stanza-for-to-ingest-logs-from-specific-date/m-p/542568#M90644 phanichintha 2021-03-05T15:11:59Z https://community.splunk.com/t5/Getting-Data-In/Stanza-for-to-ingest-logs-from-specific-date/m-p/542569#M90645 <P>please suggest some stanzas to find out the way.</P> Fri, 05 Mar 2021 15:12:43 GMT https://community.splunk.com/t5/Getting-Data-In/Stanza-for-to-ingest-logs-from-specific-date/m-p/542569#M90645 phanichintha 2021-03-05T15:12:43Z https://community.splunk.com/t5/Getting-Data-In/Stanza-for-to-ingest-logs-from-specific-date/m-p/542612#M90653 <P>As I said in my original answer, I'm not aware of ANY settings that do what you want.</P><P>However, ingestion of older events is a one-time happening so why not just let it happen?&nbsp;&nbsp;</P> Fri, 05 Mar 2021 17:47:38 GMT https://community.splunk.com/t5/Getting-Data-In/Stanza-for-to-ingest-logs-from-specific-date/m-p/542612#M90653 richgalloway 2021-03-05T17:47:38Z