Getting Data In

inputs.conf stanza to monitor only current data after changes are pushed to production (ignoring historical data)?

newbie2tech
Communicator

Hi All,

I want to ingest the log files from an application server directory using universal forwarder.

Log file names are in below pattern

ABC.%d-01-2017.log

Examples:

ABC.09-01-2017.log
ABC.09-02-2017.log
ABC.09-03-2017.log
ABC.09-04-2017.log

What should be the stanza in the inputs.conf on my forwarder such that i only monitor and ingest today's file. Also i have lot of old files in the same path,i want to start ingesting the files from the day i push the changes to production[not interested in historical].

Can you please let me know how to go about this without using "ignoreOlderThan" feature.

I did look at this , wondering if there is any other way -->https://answers.splunk.com/answers/206950/how-to-configure-inputsconf-on-a-universal-forward.html?ut...

Thank you in advance!!

0 Karma

MousumiChowdhur
Contributor

I think ignoreOlderThan is a really good option to ignore the older files and I'm also using this in my current environment to ignore lots of older files which reside in the same folder.

0 Karma

ddrillic
Ultra Champion

What's wrong with ignoreOlderThan? ; -)

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...