Re: How to process a file only once?

a212830 · ‎08-26-2016

Hi,

I want to read a file only once, after initial splunk install, and then, never again (but the file will continue to get updated). Is there any way to do this?

inventsekar · ‎08-26-2016

Please check - inputs.conf has a parameter - ignoreOlderThan.

http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Inputsconf

ignoreOlderThan = [s|m|h|d]
* Causes the monitored input to stop checking files for updates if their
modtime has passed this threshold. This improves the speed of file tracking
operations when monitoring directory hierarchies with large numbers of
historical files (for example, when active log files are colocated with old
files that are no longer being written to).
* As a result, do not select a cutoff that could ever occur for a file
you wish to index. Take downtime into account!
Suggested value: 14d , which means 2 weeks
* A file whose modtime falls outside this time window when seen for the first
time will not be indexed at all.
* Default: 0, meaning no threshold.

lycollicott · ‎08-26-2016

I suppose you could ingest it and then remove the monitor for it.

(Out of curiosity, what kind of file is it?)

sloshburch · ‎08-26-2016

Agreed. You could just upload it through the UI or do a oneshot. The batch stanza is also an option but it's destructive. So, we really need to better understand the context to get more creative.

a212830 · ‎08-26-2016

It's part of the chef recipe. I want to track the installation process. I can't delete or control the logfile in anyway - the logging from chef automatically goes there. After the initial call for the splunk forwarder via a recipe, I'm not interested in the output.

How to process a file only once?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes