Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

inputs.conf stanza to monitor only current data after changes are pushed to production (ignoring historical data)?

newbie2tech
Communicator
‎09-18-2017 01:57 PM

Hi All,

I want to ingest the log files from an application server directory using universal forwarder.

Log file names are in below pattern

ABC.%d-01-2017.log

Examples:

ABC.09-01-2017.log
ABC.09-02-2017.log
ABC.09-03-2017.log
ABC.09-04-2017.log

What should be the stanza in the inputs.conf on my forwarder such that i only monitor and ingest today's file. Also i have lot of old files in the same path,i want to start ingesting the files from the day i push the changes to production[not interested in historical].

Can you please let me know how to go about this without using "ignoreOlderThan" feature.

I did look at this , wondering if there is any other way -->https://answers.splunk.com/answers/206950/how-to-configure-inputsconf-on-a-universal-forward.html?ut...

Thank you in advance!!

0 Karma
Reply

MousumiChowdhur
Contributor
‎10-04-2017 02:12 AM

I think ignoreOlderThan is a really good option to ignore the older files and I'm also using this in my current environment to ignore lots of older files which reside in the same folder.

0 Karma
Reply

ddrillic
Ultra Champion
‎09-18-2017 02:14 PM

What's wrong with ignoreOlderThan? ; -)

Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top