If you index the file with its own source/sourcetype, you can use MAX_DAYS_AGO in props.conf and set it to the number of days since in 2011, that way anything prior is ignored.

<p>MAX_DAYS_AGO = 
* Specifies the maximum number of days past, from the current date, that an extracted date
  can be valid.
* For example, if MAX_DAYS_AGO = 10, Splunk ignores dates that are older than 10 days ago.
* Defaults to 2000 (days).
* IMPORTANT: If your data is older than 2000 days, increase this setting.</p>

http://www.splunk.com/base/Documentation/latest/admin/propsconf

Splunk is going to eat the entire file, I don't know of a setting that will only index specific parts of a file.

However, if you are wanting a specific data set from a file I would advise writing a small script that will write all of the data from year xxxx, in your case 2011, to a file. Then have splunk index that file. If your server is unix based you can cron the script to run every day to keep you file up-to-date.

mewall2

Hm, not sure if I get you right. Do you want to see/search only events from 2011 out of your .bash_history file? If that is the case, you'll have the option in the search-app to drill down only that time-range!

Thanks LCMThoma--But how can I narrow that .bash_history to show only 2011 activity?

Please advise and thanks!

Put ".bash_history*" in the whitelist option (edit your entry on the gui: >manager>data>inputs>files & directories) or simply just monitor exactly that file you want instead of the whole directory