Splunk continues to throw an error about the ignoreOlderThan flag on a windows UF. Any ideas?
Checking conf files for typos... Possible typo in stanza
[WinEventLog:Application] in C:\Program Files\SplunkUniversalForwarder\etc\apps\
MSICreated\local\inputs.conf, line 3: ignoreOlderThan = 2d
Here is the text in the inputs.conf:
[WinEventLog:Application]
disabled = 0
ignoreOlderThan = 2d
index = test
[WinEventLog:ForwardedEvents]
[WinEventLog:HardwareEvents]
[WinEventLog:Internet Explorer]
[WinEventLog:Security]
disabled = 0
ignoreOlderThan = 2d
index = test
[WinEventLog:Setup]
[WinEventLog:System]
disabled = 0
ignoreOlderThan = 2d
index = test
through testing i found that adding "current_only = 1" seemed to do the trick
So would you recommend using this or is there a better option?
current_only
is more like followTail
in non-winevtlog inputs.
under -> Program Files\SplunkUniversalForwarder\etc\apps\MSICreated\local\inputs.conf
[WinEventLog:System]
disabled = 0
index = test
current_only = 1
Where did you add it?