For example:
I have a abc.csv with fields
UpdateDate, Name, Employee No, Description.
When i index the data I want to set the condition on
UpdateDate > Currentdate(system date). So if the UpdateDate less than Currentdate should be ignored while indexing it into splunk.
Need to index the data in csv that satisfies the given above condition instead of indexing the whole data in the csv.
Look at attribute MAX_DAYS_AGO
in props.conf
(associate it with your sourcetype
😞
http://docs.splunk.com/Documentation/Splunk/6.6.0/Admin/Propsconf
I have never tried this with a value of 0
so I am not sure what it will do but I know a value of 1
will work. You will need to deploy this to your Indexers and restart every splunk instance there in order for it to take effect and only events that are indexed after the restart will be effected.