I'm not getting 'ignoreOlderThan' to work?
disabled = false
index = [redacted]
blacklist = 201[0-9]-[0-1][0-8]
sourcetype = syslog
The directory is full of syslog files from rsyslog. When I do a 'splunk list monitor' its showing files that have dates back in 2017-12? (PS the blacklist was my attempt to stop if monitoring old files).
Like above OP, I have files created each day, but thousands of them. I dont want the UV to 'monitor' the files, but import any new ones. Once the files are created, they are never written too.
... View more