Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

inputs.conf stanza to monitor only current data after changes are pushed to production (ignoring historical data)?

newbie2tech
Communicator
‎09-18-2017 01:57 PM

Hi All,

I want to ingest the log files from an application server directory using universal forwarder.

Log file names are in below pattern

ABC.%d-01-2017.log

Examples:

ABC.09-01-2017.log
ABC.09-02-2017.log
ABC.09-03-2017.log
ABC.09-04-2017.log

What should be the stanza in the inputs.conf on my forwarder such that i only monitor and ingest today's file. Also i have lot of old files in the same path,i want to start ingesting the files from the day i push the changes to production[not interested in historical].

Can you please let me know how to go about this without using "ignoreOlderThan" feature.

I did look at this , wondering if there is any other way -->https://answers.splunk.com/answers/206950/how-to-configure-inputsconf-on-a-universal-forward.html?ut...

Thank you in advance!!

0 Karma
Reply

MousumiChowdhur
Contributor
‎10-04-2017 02:12 AM

I think ignoreOlderThan is a really good option to ignore the older files and I'm also using this in my current environment to ignore lots of older files which reside in the same folder.

0 Karma
Reply

ddrillic
Ultra Champion
‎09-18-2017 02:14 PM

What's wrong with ignoreOlderThan? ; -)

Reply
Get Updates on the Splunk Community!

Fall Into Learning with New Splunk Education Courses

Every month, Splunk Education releases new courses to help you branch out, strengthen your data science roots, ...

Super Optimize your Splunk Stats Searches: Unlocking the Power of tstats, TERM, and ...

By Martin Hettervik, Senior Consultant and Team Leader at Accelerate at Iver, Splunk MVPThe stats command is ...

How Splunk Observability Cloud Prevented a Major Payment Crisis in Minutes

Your bank's payment processing system is humming along during a busy afternoon, handling millions in hourly ...