inputs.conf ignore older than typo

aaronkorn · ‎05-21-2013

Splunk continues to throw an error about the ignoreOlderThan flag on a windows UF. Any ideas?

Checking conf files for typos... Possible typo in stanza
[WinEventLog:Application] in C:\Program Files\SplunkUniversalForwarder\etc\apps\
MSICreated\local\inputs.conf, line 3: ignoreOlderThan = 2d

Here is the text in the inputs.conf:

[WinEventLog:Application]
disabled = 0
ignoreOlderThan = 2d
index = test

[WinEventLog:ForwardedEvents]

[WinEventLog:HardwareEvents]

[WinEventLog:Internet Explorer]

[WinEventLog:Security]
disabled = 0
ignoreOlderThan = 2d
index = test

[WinEventLog:Setup]

[WinEventLog:System]
disabled = 0
ignoreOlderThan = 2d
index = test

aaronkorn · ‎05-21-2013

through testing i found that adding "current_only = 1" seemed to do the trick

aaronkorn · ‎05-21-2013

So would you recommend using this or is there a better option?

kristian_kolb · ‎05-21-2013

current_only is more like followTail in non-winevtlog inputs.

aaronkorn · ‎05-21-2013

under -> Program Files\SplunkUniversalForwarder\etc\apps\MSICreated\local\inputs.conf

[WinEventLog:System]
disabled = 0
index = test
current_only = 1

jkat54 · ‎05-21-2013

Where did you add it?

inputs.conf ignore older than typo

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk