@mdsnmss I ran a test and what I need to do is apply ignoreOlderThan on or before first run. As I'm adding new data from a new forwarder, I don't have the option to apply ignoreOlderThan before the forwarder begins to index all logs matching the filename pattern.
Do I need to manually config a [monitor] block in $SPLUNK_HOME/etc/system/local/inputs.conf , on each forwarder, apply ignoreOlderThan and restart the forwarder in order to prevent old logs from being imported?
... View more