I configured one firewall on splunk through database inputs. I disabled that port one month ago, but I want to enable it now. My question is, if I enable it now, will all the previous month's logs will come or not? If I want only the logs from yesterday, what changes do I have to do?
Yes, All data created after you disabled the port will be push to Splunk.
Based on the dbmon-tail input http://docs.splunk.com/Documentation/DBX/1.1.6/DeployDBX/Configuredatabasemonitoring#How_dbmon-tail_... ,
for example, if you have ID as a rising_column, you can limit the data by setting like this:
SELECT customer_id, last_name, first_name FROM customer Where ID > 12345 {{AND $rising_column$ > ?}}
With this limit, only ID > 12345 will be push into Splunk.
I would imagine that this is driven by the actual query used to pull the data. Can you share?