https://community.splunk.com/t5/Getting-Data-In/how-to-tail-the-input-that-is-being-sent-to-indexer/m-p/54391#M96839 <P>Your best bet would be to use a scripted input to run tail manually for the last 700 lines, something like tail blah -n 700 (double check the syntax). <BR /> The only issue would be duplication if you don't have 700 new events in between readings.</P> Fri, 07 Sep 2012 14:57:13 GMT Drainy 2012-09-07T14:57:13Z https://community.splunk.com/t5/Getting-Data-In/how-to-tail-the-input-that-is-being-sent-to-indexer/m-p/54390#M96838 <P>Hi</P> <P>Is it possible to tail the log files and send to indexer rather than sending one file as such.</P> <P>To make it clear - We have some log files of huge size for which we cannot do log rotation for some reason and the file has got entry from last year which I dont want to monitor through splunk.<BR /> So is it possible to tail the last 600-700 lines of that file alone and send it to indexer -not the whole file?</P> <P>Every update to those 700 lines should be sent to indexer on regular basis</P> <P>Thanks</P> Fri, 07 Sep 2012 14:44:32 GMT https://community.splunk.com/t5/Getting-Data-In/how-to-tail-the-input-that-is-being-sent-to-indexer/m-p/54390#M96838 splunker_123 2012-09-07T14:44:32Z https://community.splunk.com/t5/Getting-Data-In/how-to-tail-the-input-that-is-being-sent-to-indexer/m-p/54391#M96839 <P>Your best bet would be to use a scripted input to run tail manually for the last 700 lines, something like tail blah -n 700 (double check the syntax). <BR /> The only issue would be duplication if you don't have 700 new events in between readings.</P> Fri, 07 Sep 2012 14:57:13 GMT https://community.splunk.com/t5/Getting-Data-In/how-to-tail-the-input-that-is-being-sent-to-indexer/m-p/54391#M96839 Drainy 2012-09-07T14:57:13Z https://community.splunk.com/t5/Getting-Data-In/how-to-tail-the-input-that-is-being-sent-to-indexer/m-p/54392#M96840 <P>Syntax is correct :-)... or you could do <CODE>tail -n 700 blah</CODE></P> Fri, 07 Sep 2012 15:07:10 GMT https://community.splunk.com/t5/Getting-Data-In/how-to-tail-the-input-that-is-being-sent-to-indexer/m-p/54392#M96840 MHibbin 2012-09-07T15:07:10Z https://community.splunk.com/t5/Getting-Data-In/how-to-tail-the-input-that-is-being-sent-to-indexer/m-p/54393#M96841 <P>You must have your reasons but I think it would be much easier to just index the whole file and then have Splunk follow the tail. You can always use time range picker or <CODE>earliest|latest</CODE> in your search to filter out older results. Or you could "<A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Delete"><CODE>delete</CODE></A>" events older than your selected age.</P> Fri, 07 Sep 2012 15:14:25 GMT https://community.splunk.com/t5/Getting-Data-In/how-to-tail-the-input-that-is-being-sent-to-indexer/m-p/54393#M96841 MHibbin 2012-09-07T15:14:25Z https://community.splunk.com/t5/Getting-Data-In/how-to-tail-the-input-that-is-being-sent-to-indexer/m-p/54394#M96842 <P>The reason I ruled out option of indexing the whole file is due to license limitation.We are allowed to index till 10GB perday<BR /> these files as a whole had grown up to 13GB now</P> <P>so if I index whole file then ,at least for the first time when the whole file is indexed it will cross 10 GB?(as per my understanding)</P> Fri, 07 Sep 2012 15:47:27 GMT https://community.splunk.com/t5/Getting-Data-In/how-to-tail-the-input-that-is-being-sent-to-indexer/m-p/54394#M96842 splunker_123 2012-09-07T15:47:27Z https://community.splunk.com/t5/Getting-Data-In/how-to-tail-the-input-that-is-being-sent-to-indexer/m-p/54395#M96843 <P>It will cross your limit and register a violation but on an Enterprise licence Splunk will allow you up to 5 violations in a 30 day rolling window. So as long as you then spend the next 30 days without a single violation you will have a clean licence again <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Splunk uses this model as it allows for scenarios like this and for companys to do monthly dumps of batch files and the like.</P> Fri, 07 Sep 2012 15:49:21 GMT https://community.splunk.com/t5/Getting-Data-In/how-to-tail-the-input-that-is-being-sent-to-indexer/m-p/54395#M96843 Drainy 2012-09-07T15:49:21Z https://community.splunk.com/t5/Getting-Data-In/how-to-tail-the-input-that-is-being-sent-to-indexer/m-p/54396#M96844 <P>How about the ignoreOlderThan option? Or will this just work for the files itself and not the content of it?</P> Fri, 07 Sep 2012 16:35:09 GMT https://community.splunk.com/t5/Getting-Data-In/how-to-tail-the-input-that-is-being-sent-to-indexer/m-p/54396#M96844 MuS 2012-09-07T16:35:09Z https://community.splunk.com/t5/Getting-Data-In/how-to-tail-the-input-that-is-being-sent-to-indexer/m-p/54397#M96845 <P>That's just based on the modification time of the files. Monitor statements are all about the file, props are about the content <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 07 Sep 2012 18:45:42 GMT https://community.splunk.com/t5/Getting-Data-In/how-to-tail-the-input-that-is-being-sent-to-indexer/m-p/54397#M96845 Drainy 2012-09-07T18:45:42Z