Hello Team,
I want the stanza to ingest logs from a specific date in Linux or Window environment.
Currently am using windows (ignoreOlderThan = 365d) and the same using for Linux it's not working.
Requirement: I want to ingest logs from Linux via UF and windows machines to Splunk, so I want only 356days or 180days. Can anyone share other than the above stanza?
Example:
[WinEventLog://Security]
disabled = 0
index = trendmicro
sourcetype = %trendmicro%
ignoreOlderThan = 365d
whitelist = 4625,4648,4723,4728,4732,4740,4777,5031,4624,4634
The ignoreOlderThan setting is for monitor inputs, not WinEventLog. I'm not aware of a setting that controls how far back into the event log the forwarder will read.
Hello Rich,
If that is not the case, can you please which stanza can I use for my question?
As I said in my original answer, I'm not aware of ANY settings that do what you want.
However, ingestion of older events is a one-time happening so why not just let it happen?
please suggest some stanzas to find out the way.