Inputs.conf to monitor in given time range only

meenal901 · ‎01-06-2015

Hi,

I have a situation: The logs are getting generated 24x7, but the client wants to monitor only during offline hours (18:55 to 07:00). Even if I stop Splunk in online hours, the logs will get indexed.. Is there a solution where I tell splunk to index only in given time range or ignore events older than last 1 hour? The ignoreolderthan parameter of inputs.conf works on last modified date of the files, what about the events within?

Any help would be great!

Thanks.

esix_splunk · ‎01-06-2015

Use cron to stop/start your syslog listener during that time..

kml_uvce · ‎01-06-2015

use transforms and props.conf file and drop online events(not index) , match _time field in regex in transforms.conf
see route and filter data in http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Routeandfilterdatad

MuS · ‎01-07-2015

out of pure curiosity, how would you do an regex on an epoch time for those online hours?

meenal901 · ‎01-07-2015

Agreed.. It may not be possible to filter out based on REGEX in props/transforms.

Inputs.conf to monitor in given time range only

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)