Archive

Does ignoreOlderThan work on Windows?

Ultra Champion

Does ignoreOlderThan work on Windows? Apparently for windows events logs and for open files there might be issues.

Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

hello @ddrillic

for the wineventlogs, you will have to use start_from in inputs.conf under the relevant stanza/s
take a look in docs here:
http://docs.splunk.com/Documentation/Splunk/7.0.3/Data/MonitorWindowseventlogdata
start_from

 How events are to be read. Acceptable values are oldest (meaning read logs from the oldest to the newest) and newest (meaning read logs from the newest to the oldest.)
    You cannot set this attribute to newest while also setting the current_only attribute to 1.

hope it helps

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

hello @ddrillic

for the wineventlogs, you will have to use start_from in inputs.conf under the relevant stanza/s
take a look in docs here:
http://docs.splunk.com/Documentation/Splunk/7.0.3/Data/MonitorWindowseventlogdata
start_from

 How events are to be read. Acceptable values are oldest (meaning read logs from the oldest to the newest) and newest (meaning read logs from the newest to the oldest.)
    You cannot set this attribute to newest while also setting the current_only attribute to 1.

hope it helps

View solution in original post

0 Karma

Builder

I monitor a set of .log files in C:\logroot and the monitor string obeys ignoreOlderThan. I don't know about WinEventLog.

[monitor://C:\logroot\wc.alfresco.txt]
disabled = 0
sourcetype=alfresco
ignoreOlderThan = 7d
index = idx_appdev
0 Karma