Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Monitor .txt file without indexing old data?

kiran331
Builder
‎04-11-2017 08:51 AM

Hi

I have a .txt file of large size which has all logs in a single file, I have to monitor the file, is there a way to monitor the text file and index the events starting today?

Tags (3)
0 Karma
Reply

somesoni2
Revered Legend
‎04-11-2017 09:31 AM

You would've to use the followTail option in the inputs.conf for that file monitoring. Please read the hashed lines.

followTail = [0|1]
* ###WARNING: Use of followTail should be considered an advanced administrative
  action.###
* Treat this setting as an 'action':
  * Enable this setting and start the Splunk software.
  * Wait enough time for the input to identify the related files.
  * Disable the setting and restart.
* ###DO NOT leave followTail enabled in an ongoing fashion.###
* Do not use followTail for rolling log files (log files that get renamed as
  they age), or files whose names or paths vary.
* You can use this to force the input to skip past all current data for a
  given stanza.
  * In more detail: this is intended to mean that if you start the monitor
    with a stanza configured this way, all data in the file at the time it is
    first encountered will not be read. Only data that arrives after the first
    encounter time will be read.
  * This can be used to "skip over" data from old log files, or old portions of
    log files, to get started on current data right away.
* If set to 1, monitoring starts at the end of the file (like tail -f).
* If set to 0, monitoring starts at the beginning of the file.
* Defaults to 0.
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...