Stanza for to ingest logs from specific date

phanichintha · ‎03-05-2021

Hello Team,

I want the stanza to ingest logs from a specific date in Linux or Window environment.

Currently am using windows (ignoreOlderThan = 365d) and the same using for Linux it's not working.

Requirement: I want to ingest logs from Linux via UF and windows machines to Splunk, so I want only 356days or 180days. Can anyone share other than the above stanza?

Example:

[WinEventLog://Security]
disabled = 0
index = trendmicro
sourcetype = %trendmicro%
ignoreOlderThan = 365d
whitelist = 4625,4648,4723,4728,4732,4740,4777,5031,4624,4634

richgalloway · ‎03-05-2021

The ignoreOlderThan setting is for monitor inputs, not WinEventLog. I'm not aware of a setting that controls how far back into the event log the forwarder will read.

---
If this reply helps you, Karma would be appreciated.

phanichintha · ‎03-05-2021

Hello Rich,

If that is not the case, can you please which stanza can I use for my question?

richgalloway · ‎03-05-2021

As I said in my original answer, I'm not aware of ANY settings that do what you want.

However, ingestion of older events is a one-time happening so why not just let it happen?

---
If this reply helps you, Karma would be appreciated.

phanichintha · ‎03-05-2021

please suggest some stanzas to find out the way.

Stanza for to ingest logs from specific date

modular input

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Splunk Classroom Chronicles: Training Tales and Testimonials

Access Tokens Page - New & Improved