Getting Data In

inputs.conf stanza to monitor only current data after changes are pushed to production (ignoring historical data)?

Communicator

Hi All,

I want to ingest the log files from an application server directory using universal forwarder.

Log file names are in below pattern

ABC.%d-01-2017.log

Examples:

ABC.09-01-2017.log
ABC.09-02-2017.log
ABC.09-03-2017.log
ABC.09-04-2017.log

What should be the stanza in the inputs.conf on my forwarder such that i only monitor and ingest today's file. Also i have lot of old files in the same path,i want to start ingesting the files from the day i push the changes to production[not interested in historical].

Can you please let me know how to go about this without using "ignoreOlderThan" feature.

I did look at this , wondering if there is any other way -->https://answers.splunk.com/answers/206950/how-to-configure-inputsconf-on-a-universal-forward.html?ut...

Thank you in advance!!

0 Karma
Highlighted

Re: inputs.conf stanza to monitor only current data after changes are pushed to production (ignoring historical data)?

Ultra Champion

What's wrong with ignoreOlderThan? ; -)

Highlighted

Re: inputs.conf stanza to monitor only current data after changes are pushed to production (ignoring historical data)?

Contributor

I think ignoreOlderThan is a really good option to ignore the older files and I'm also using this in my current environment to ignore lots of older files which reside in the same folder.

0 Karma