I want to read a file only once, after initial splunk install, and then, never again (but the file will continue to get updated). Is there any way to do this?
Please check - inputs.conf has a parameter - ignoreOlderThan.
ignoreOlderThan = [s|m|h|d]
* Causes the monitored input to stop checking files for updates if their
modtime has passed this threshold. This improves the speed of file tracking
operations when monitoring directory hierarchies with large numbers of
historical files (for example, when active log files are colocated with old
files that are no longer being written to).
* As a result, do not select a cutoff that could ever occur for a file
you wish to index. Take downtime into account!
Suggested value: 14d , which means 2 weeks
* A file whose modtime falls outside this time window when seen for the first
time will not be indexed at all.
* Default: 0, meaning no threshold.
I suppose you could ingest it and then remove the monitor for it.
(Out of curiosity, what kind of file is it?)
Agreed. You could just upload it through the UI or do a oneshot. The batch stanza is also an option but it's destructive. So, we really need to better understand the context to get more creative.
It's part of the chef recipe. I want to track the installation process. I can't delete or control the logfile in anyway - the logging from chef automatically goes there. After the initial call for the splunk forwarder via a recipe, I'm not interested in the output.