Hello. We have a pesky entry from 80+ days ago that keeps appearing in our search results. We added the
ignoreOlderThan setting to the
$SPLUNK_HOME\etc\system\local\inputs.conf file, but the old entry continues to appear in the search results.
The stanza from the
inputs.conf looks like this
[monitor://c:\Program Files\Microsoft\device\logs\*\MSDevice_MSCP*.txt] disabled = false sourcetype = MSDevice_MSCP-MS ignoreOlderThan = 2d
For good measure, we also changed the
inputs.conf file in the app's directory, to look like this:
[monitor://C:\Program Files\Microsoft\device\] disabled = false host = bes12 ignoreOlderThan = 48h
And the entry continues to get picked up. Is there any other way I can get Splunk to ignore this (and any other older) entry?
Is there another inputs.conf file that has higher precedence? Should we double up on the backslashes in the
Thanks for your insights!
Glad you were able to figure out the time range in the search, but I fear you may be missing what is happening here. Read this first:
earliest=-48h to the search criteria, we were able to exclude the old entries, thus solving the issue.
But I would still really like to know the "proper" way to edit the
inputs.config file to avoid this issue in the future, and to increase flexibility.