Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

inputs.conf stanza to monitor only current data after changes are pushed to production (ignoring historical data)?

newbie2tech
Communicator
‎09-18-2017 01:57 PM

Hi All,

I want to ingest the log files from an application server directory using universal forwarder.

Log file names are in below pattern

ABC.%d-01-2017.log

Examples:

ABC.09-01-2017.log
ABC.09-02-2017.log
ABC.09-03-2017.log
ABC.09-04-2017.log

What should be the stanza in the inputs.conf on my forwarder such that i only monitor and ingest today's file. Also i have lot of old files in the same path,i want to start ingesting the files from the day i push the changes to production[not interested in historical].

Can you please let me know how to go about this without using "ignoreOlderThan" feature.

I did look at this , wondering if there is any other way -->https://answers.splunk.com/answers/206950/how-to-configure-inputsconf-on-a-universal-forward.html?ut...

Thank you in advance!!

0 Karma
Reply

MousumiChowdhur
Contributor
‎10-04-2017 02:12 AM

I think ignoreOlderThan is a really good option to ignore the older files and I'm also using this in my current environment to ignore lots of older files which reside in the same folder.

0 Karma
Reply

ddrillic
Ultra Champion
‎09-18-2017 02:14 PM

What's wrong with ignoreOlderThan? ; -)

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...