https://community.splunk.com/t5/Splunk-Search/Does-ignoreOlderThan-work-on-Windows/m-p/301858#M161884 <P>hello @ddrillic</P> <P>for the wineventlogs, you will have to use <CODE>start_from</CODE> in inputs.conf under the relevant stanza/s<BR /> take a look in docs here:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/7.0.3/Data/MonitorWindowseventlogdata">http://docs.splunk.com/Documentation/Splunk/7.0.3/Data/MonitorWindowseventlogdata</A><BR /> <CODE>start_from</CODE></P> <PRE><CODE> How events are to be read. Acceptable values are oldest (meaning read logs from the oldest to the newest) and newest (meaning read logs from the newest to the oldest.) You cannot set this attribute to newest while also setting the current_only attribute to 1. </CODE></PRE> <P>hope it helps</P> Tue, 03 Apr 2018 20:21:11 GMT adonio 2018-04-03T20:21:11Z https://community.splunk.com/t5/Splunk-Search/Does-ignoreOlderThan-work-on-Windows/m-p/301856#M161882 <P>Does ignoreOlderThan work on Windows? Apparently for windows events logs and for open files there might be issues. </P> Tue, 03 Apr 2018 17:51:57 GMT https://community.splunk.com/t5/Splunk-Search/Does-ignoreOlderThan-work-on-Windows/m-p/301856#M161882 ddrillic 2018-04-03T17:51:57Z https://community.splunk.com/t5/Splunk-Search/Does-ignoreOlderThan-work-on-Windows/m-p/301857#M161883 <P>I monitor a set of .log files in C:\logroot and the monitor string obeys ignoreOlderThan. I don't know about WinEventLog.</P> <PRE><CODE>[monitor://C:\logroot\wc.alfresco.txt] disabled = 0 sourcetype=alfresco ignoreOlderThan = 7d index = idx_appdev </CODE></PRE> Tue, 03 Apr 2018 18:36:20 GMT https://community.splunk.com/t5/Splunk-Search/Does-ignoreOlderThan-work-on-Windows/m-p/301857#M161883 JDukeSplunk 2018-04-03T18:36:20Z https://community.splunk.com/t5/Splunk-Search/Does-ignoreOlderThan-work-on-Windows/m-p/301858#M161884 <P>hello @ddrillic</P> <P>for the wineventlogs, you will have to use <CODE>start_from</CODE> in inputs.conf under the relevant stanza/s<BR /> take a look in docs here:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/7.0.3/Data/MonitorWindowseventlogdata">http://docs.splunk.com/Documentation/Splunk/7.0.3/Data/MonitorWindowseventlogdata</A><BR /> <CODE>start_from</CODE></P> <PRE><CODE> How events are to be read. Acceptable values are oldest (meaning read logs from the oldest to the newest) and newest (meaning read logs from the newest to the oldest.) You cannot set this attribute to newest while also setting the current_only attribute to 1. </CODE></PRE> <P>hope it helps</P> Tue, 03 Apr 2018 20:21:11 GMT https://community.splunk.com/t5/Splunk-Search/Does-ignoreOlderThan-work-on-Windows/m-p/301858#M161884 adonio 2018-04-03T20:21:11Z