Hi,
I would like to configure ignoreOlderThan = 1d within my default settings within inputs.conf during the silent command line install of the Splunk universal forwarder.
You can see below I am specifying the monitoring path during the silent install but I don't see a way to configure the ignoreOlderThan setting. Is this possible?
If this is not possible, would it be better to complete the install without the monitoring path and then add the monitoring path to inputs.conf via REST API? I mention the REST API, because when checking the CLI it didn't appear to support ignoreOlderThan setting.
This is my current install:
msiexec.exe /i splunkuniversalforwarder_x86.msi /l splunk_install.log RECEIVING_INDEXER="server.testserver.com:9997" MONITOR_PATH="C:\Apps\test\Client\testpath\logs" LAUNCHSPLUNK=1 AGREETOLICENSE=Yes /quiet
This is what I'd like my inputs.conf to look like:
[default]
ignoreOlderThan = 7d
[monitor://C:\Apps\test\Client\testpath\logs]
disabled = false
**Note for some reason it is taking out my backslashes so that path looks weird.
Hi ncarnevali,
That's not correct, the REST api supports ignoreOlderThan
but it is called ignore-older-than
in REST. See the docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.4/RESTREF/RESTinput#data.2Finputs.2Fmonitor in the POST
section.
Hope this helps ...
cheers, MuS
Hi ncarnevali,
That's not correct, the REST api supports ignoreOlderThan
but it is called ignore-older-than
in REST. See the docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.4/RESTREF/RESTinput#data.2Finputs.2Fmonitor in the POST
section.
Hope this helps ...
cheers, MuS
Thanks MuS,
So am I correct the only way to do this would be via the REST api?
Doing a bit more research it almost seems easier to write a script that installs Splunk, copies my input.conf to the install directory, and restarts Splunk.
That would be another option or use a Deployment server and provide the configs. The later makes sense if your using a large deployment and if you want to be able to configure your forwarders from within Splunk.
I ended up writing the script as I am using the free version and the deployment server isn't an option.