Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to setup forwarder to ingest logs from a specific date / last day's log and carry on monitoring the future files as they are created?

shivarpith
Path Finder
‎03-28-2016 08:44 AM

i am dealing with a imilar issue, i am trying to ingest webserver logs and the historical log data in webserver is huge and brought splunk down when i tried to ingest. i want splunk UF to start from the latest or the day before's log file and ingest the new log files that are created in future

Example:
exclude logs till march 27th.
ingest march 28th.log
march 29th.log
march 30th.log
march 31th.log
april 1st.log

.
.
.
.
.
and all log files post march 28th ( normal splunk UF behaviour)

can i use current_only=1 setting or any other suggested recommendation.

Hope i was clear enough. Thanks in advance

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-28-2016 09:45 AM

You can set ignoreOlderThan=3d in inputs.conf to do just that, ignore files older than three days or whatever time span you like.

Reply

ddrillic
Ultra Champion
‎03-28-2016 10:46 AM

Just came across the ignoreOlderThan topic at https://answers.splunk.com/topics/ignoreolderthan.html.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...