Hi All,
I want to ingest the log files from an application server directory using universal forwarder.
Log file names are in below pattern
ABC.%d-01-2017.log
Examples:
ABC.09-01-2017.log
ABC.09-02-2017.log
ABC.09-03-2017.log
ABC.09-04-2017.log
What should be the stanza in the inputs.conf on my forwarder such that i only monitor and ingest today's file. Also i have lot of old files in the same path,i want to start ingesting the files from the day i push the changes to production[not interested in historical].
Can you please let me know how to go about this without using "ignoreOlderThan" feature.
I did look at this , wondering if there is any other way -->https://answers.splunk.com/answers/206950/how-to-configure-inputsconf-on-a-universal-forward.html?ut...
Thank you in advance!!
I think ignoreOlderThan is a really good option to ignore the older files and I'm also using this in my current environment to ignore lots of older files which reside in the same folder.
What's wrong with ignoreOlderThan
? ; -)