Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Set forwarder to Ignore previous logs

Navanitha
Path Finder
‎11-03-2016 03:09 AM

We have the forwarder installed on a RHEL server to pull the kern messages into Splunk. The requirement is Splunk should not pull the logs when the server or Splunk service is down (meaning generally when a server is rebooted, splunk will go back to the history where it has stopped reading the logs and then pull the logs from there till recent), We don't want splunk to do that, so it should now pull logs only from the current time when the server or the splunk service has come up. Is there a way we can do this? There is no schedule for a reboot, it might be on adhoc basis.

Tags (3)
0 Karma
Reply

ddrillic
Ultra Champion
‎11-03-2016 07:54 AM

Right, you can set the ignoreOlderThan for few minutes. On a regular basis, you take a risk here that if the forwarder hasn't completed its job, you might lose data.

Another way, it that upon reboot, you automatically adjust the ignoreOlderThan to 0 minutes. You can adjust your boot start script to take care of it.

0 Karma
Reply

hunters_splunk
Splunk Employee
Splunk Employee
‎11-03-2016 07:43 AM

Hi Richgalloway,

You can try adding the following setting in inputs.conf:

ignoreOlderThan = [s|m|h|d]
* The monitor input will compare the modification time on files it encounters
with the current time. If the time elapsed since the modification time
is greater than this setting, it will be placed on the ignore list.
* Files placed on the ignore list will not be checked again for any
reason until the Splunk software restarts, or the file monitoring subsystem
is reconfigured. This is true even if the file becomes newer again at a
later time.

Hope it helps. Thanks!
Hunter

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...