If I disabled a database input 1 month ago, but wa...

avis1119 · ‎02-10-2015

I configured one firewall on splunk through database inputs. I disabled that port one month ago, but I want to enable it now. My question is, if I enable it now, will all the previous month's logs will come or not? If I want only the logs from yesterday, what changes do I have to do?

mchang_splunk · ‎02-12-2015

Yes, All data created after you disabled the port will be push to Splunk.

Based on the dbmon-tail input http://docs.splunk.com/Documentation/DBX/1.1.6/DeployDBX/Configuredatabasemonitoring#How_dbmon-tail_... ,
for example, if you have ID as a rising_column, you can limit the data by setting like this:
SELECT customer_id, last_name, first_name FROM customer Where ID > 12345 {{AND $rising_column$ > ?}}
With this limit, only ID > 12345 will be push into Splunk.

bobbyfaber · ‎02-12-2015

I would imagine that this is driven by the actual query used to pull the data. Can you share?

If I disabled a database input 1 month ago, but want to enable it to only get yesterday's logs, what do I do?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!