Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to Monitor .txt file without indexing old data?

kiran331
Builder
‎04-11-2017 08:51 AM

Hi

I have a .txt file of large size which has all logs in a single file, I have to monitor the file, is there a way to monitor the text file and index the events starting today?

Tags (3)
0 Karma
Reply

somesoni2
Revered Legend
‎04-11-2017 09:31 AM

You would've to use the followTail option in the inputs.conf for that file monitoring. Please read the hashed lines.

followTail = [0|1]
* ###WARNING: Use of followTail should be considered an advanced administrative
  action.###
* Treat this setting as an 'action':
  * Enable this setting and start the Splunk software.
  * Wait enough time for the input to identify the related files.
  * Disable the setting and restart.
* ###DO NOT leave followTail enabled in an ongoing fashion.###
* Do not use followTail for rolling log files (log files that get renamed as
  they age), or files whose names or paths vary.
* You can use this to force the input to skip past all current data for a
  given stanza.
  * In more detail: this is intended to mean that if you start the monitor
    with a stanza configured this way, all data in the file at the time it is
    first encountered will not be read. Only data that arrives after the first
    encounter time will be read.
  * This can be used to "skip over" data from old log files, or old portions of
    log files, to get started on current data right away.
* If set to 1, monitoring starts at the end of the file (like tail -f).
* If set to 0, monitoring starts at the beginning of the file.
* Defaults to 0.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...