Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Don't forward old IIS Logs to Splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello All!
I am configuring Splunk in different servers to send the IIS Logs. I am doing it by adding the IIS Log Folder as a Data Input -> Files & Directories.
But in the IIS Log File there is old Logs, and I only want that send to splunk Logs from no more that two days.
I already configured in the .props.config the MAX_DAYS_AGO=2, but it doesn't work.
I have tried in these ways:
With the file in ...\etc\system\local\props.config
[iis]
MAX_DAYS_AGO=2
---------------- Didn't work
[default]
MAX_DAYS_AGO=2
------------------Didn't work
Changing the Default in the ..\etc\system\default\props.config
[default]
MAX_DAYS_AGO=2
------------------Didn't work
Restarting the Splunk service every time when I made the change
Could somebody say me what I am missing?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In inputs.conf we configure the file which needs to be monitored as below. We can add the "ignoreOlderThan = 2d" as below in inputs.conf so that it will exclude the files which are older than 2 days.
[monitor://path_to_logfile.log]
disabled = false
index = iis
sourcetype = iis
crcSalt = <SOURCE>
ignoreOlderThan = 2d
If we need to go through each individual events and ignore the data then we can add them where it is being parsed. If we are using intermediate Heavy forwarder for parsing, then configure here. If the logs being collected are sent directly to indexers then we can configure the below in indexers.
props.conf
[iis]
MAX_DAYS_AGO=2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In inputs.conf we configure the file which needs to be monitored as below. We can add the "ignoreOlderThan = 2d" as below in inputs.conf so that it will exclude the files which are older than 2 days.
[monitor://path_to_logfile.log]
disabled = false
index = iis
sourcetype = iis
crcSalt = <SOURCE>
ignoreOlderThan = 2d
If we need to go through each individual events and ignore the data then we can add them where it is being parsed. If we are using intermediate Heavy forwarder for parsing, then configure here. If the logs being collected are sent directly to indexers then we can configure the below in indexers.
props.conf
[iis]
MAX_DAYS_AGO=2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This may help..
1. If the file is older than 2 days we can use ignoreOlderThan = 2d in inputs.conf in forwarder.
2. Please check the below configuration is in props.conf in HF/Indexer.
[iis]
MAX_DAYS_AGO=2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @saravanan90
Sorry, but I am new using splunk. So what do you mean by HF/Indexer?
My local props.config looks like:
[iis]
MAX_DAYS_AGO=2
TRANSFORMS-null = setnull,setNotFound
And under what label do I have to put the ignoreOlderThan = 2d in my local inputs.conf?
Thanks for your reply.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
