Solved: Re: Why does ignoreolderthan=1d still result in th...

lycollicott · ‎11-24-2015

My 6.3.1 inputs.conf is:

[monitor://E:\Tomcat-instance1\logs]
index=instance1_appl
sourcetype=tomcat-appl
ignoreolderthan=1d

There are 467 files in the E:\Tomcat-instance1\logs directory.
62 files have date stamps within the current month.
123 files are older than 5 months.
The oldest file is 11 months old.
All 467 files are displayed by "splunk list monitor", but that is normal behavior (as far as I know).
All 467 files were indexed and that is not what I expected.

lycollicott · ‎11-24-2015

I figured it out. I used "ignoreolderthan" instead of "ignoreOlderThan" and I never noticed that I had not used the proper case for the parameter.

View solution in original post

lycollicott · ‎11-24-2015

I figured it out. I used "ignoreolderthan" instead of "ignoreOlderThan" and I never noticed that I had not used the proper case for the parameter.

Why does ignoreolderthan=1d still result in the indexing of files older than 1 day?

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

Are you a member of the Splunk Community?

Why does ignoreolderthan=1d still result in the indexing of files older than 1 day?

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal