Archive

If I disabled a database input 1 month ago, but want to enable it to only get yesterday's logs, what do I do?

New Member

I configured one firewall on splunk through database inputs. I disabled that port one month ago, but I want to enable it now. My question is, if I enable it now, will all the previous month's logs will come or not? If I want only the logs from yesterday, what changes do I have to do?

0 Karma

Splunk Employee
Splunk Employee

Yes, All data created after you disabled the port will be push to Splunk.

Based on the dbmon-tail input http://docs.splunk.com/Documentation/DBX/1.1.6/DeployDBX/Configuredatabasemonitoring#How_dbmon-tail_... ,
for example, if you have ID as a rising_column, you can limit the data by setting like this:
SELECT customer_id, last_name, first_name FROM customer Where ID > 12345 {{AND $rising_column$ > ?}}
With this limit, only ID > 12345 will be push into Splunk.

0 Karma

Explorer

I would imagine that this is driven by the actual query used to pull the data. Can you share?

0 Karma