Stanza for to ingest logs from specific date

phanichintha · ‎03-05-2021

Hello Team,

I want the stanza to ingest logs from a specific date in Linux or Window environment.

Currently am using windows (ignoreOlderThan = 365d) and the same using for Linux it's not working.

Requirement: I want to ingest logs from Linux via UF and windows machines to Splunk, so I want only 356days or 180days. Can anyone share other than the above stanza?

Example:

[WinEventLog://Security]
disabled = 0
index = trendmicro
sourcetype = %trendmicro%
ignoreOlderThan = 365d
whitelist = 4625,4648,4723,4728,4732,4740,4777,5031,4624,4634

richgalloway · ‎03-05-2021

The ignoreOlderThan setting is for monitor inputs, not WinEventLog. I'm not aware of a setting that controls how far back into the event log the forwarder will read.

---
If this reply helps you, Karma would be appreciated.

phanichintha · ‎03-05-2021

Hello Rich,

If that is not the case, can you please which stanza can I use for my question?

richgalloway · ‎03-05-2021

As I said in my original answer, I'm not aware of ANY settings that do what you want.

However, ingestion of older events is a one-time happening so why not just let it happen?

---
If this reply helps you, Karma would be appreciated.

phanichintha · ‎03-05-2021

please suggest some stanzas to find out the way.

Stanza for to ingest logs from specific date

modular input

Announcing the Expansion of the Splunk Academic Alliance Program

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Buttercup Games: Further Dashboarding Techniques (Part 7)