I am monitoring the directory where IIS logs are stored. The universal forwarder is sending the information on a dedicated index.
To upgrade the universal forwarder, I saved the customization files then I uninstalled the previous version. Then I installed the latest version copying the customization.
As result the universal forwarder re-indexed all files in the logs directory introducing a license violation.
Is it possible to avoid this behaviour saving the previous status of the indexed logs?
You should not have uninstalled the forwarder, you install the new version over the existing forwarder.. When you wiped out the existing forwarder, you cleared the fishbucket which tells Splunk that the data has already been indexed
http://docs.splunk.com/Documentation/Forwarder/6.5.1/Forwarder/Upgradethenixuniversalforwarder
Here's a good blog describing what the fishbucket is and how wiping it out will cause you to reindex the logs
http://blogs.splunk.com/2008/08/14/what-is-this-fishbucket-thing/
You should not have uninstalled the forwarder, you install the new version over the existing forwarder.. When you wiped out the existing forwarder, you cleared the fishbucket which tells Splunk that the data has already been indexed
http://docs.splunk.com/Documentation/Forwarder/6.5.1/Forwarder/Upgradethenixuniversalforwarder
Here's a good blog describing what the fishbucket is and how wiping it out will cause you to reindex the logs
http://blogs.splunk.com/2008/08/14/what-is-this-fishbucket-thing/
I uninstalled the universal forwarder due to a security policy that blocks files modification by a user or program running without admin rights - However, I was not aware about it - thank you for your reply.
Can you accept the answer and close out the question?
Be aware also of the ignoreOlderThan
parameter at Edit inputs.conf
-- Causes the monitored input to stop checking files for updates if their modification time (modtime) has passed the threshold