How to Monitor .txt file without indexing old data...

kiran331 · ‎04-11-2017

Hi

I have a .txt file of large size which has all logs in a single file, I have to monitor the file, is there a way to monitor the text file and index the events starting today?

somesoni2 · ‎04-11-2017

You would've to use the followTail option in the inputs.conf for that file monitoring. Please read the hashed lines.

followTail = [0|1]
* ###WARNING: Use of followTail should be considered an advanced administrative
  action.###
* Treat this setting as an 'action':
  * Enable this setting and start the Splunk software.
  * Wait enough time for the input to identify the related files.
  * Disable the setting and restart.
* ###DO NOT leave followTail enabled in an ongoing fashion.###
* Do not use followTail for rolling log files (log files that get renamed as
  they age), or files whose names or paths vary.
* You can use this to force the input to skip past all current data for a
  given stanza.
  * In more detail: this is intended to mean that if you start the monitor
    with a stanza configured this way, all data in the file at the time it is
    first encountered will not be read. Only data that arrives after the first
    encounter time will be read.
  * This can be used to "skip over" data from old log files, or old portions of
    log files, to get started on current data right away.
* If set to 1, monitoring starts at the end of the file (like tail -f).
* If set to 0, monitoring starts at the beginning of the file.
* Defaults to 0.

How to Monitor .txt file without indexing old data?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases