Solved: Does ignoreOlderThan work on Windows?

ddrillic · ‎04-03-2018

Does ignoreOlderThan work on Windows? Apparently for windows events logs and for open files there might be issues.

adonio · ‎04-03-2018

hello @ddrillic

for the wineventlogs, you will have to use start_from in inputs.conf under the relevant stanza/s
take a look in docs here:
http://docs.splunk.com/Documentation/Splunk/7.0.3/Data/MonitorWindowseventlogdata
start_from

 How events are to be read. Acceptable values are oldest (meaning read logs from the oldest to the newest) and newest (meaning read logs from the newest to the oldest.)
    You cannot set this attribute to newest while also setting the current_only attribute to 1.

hope it helps

View solution in original post

adonio · ‎04-03-2018

hello @ddrillic

for the wineventlogs, you will have to use start_from in inputs.conf under the relevant stanza/s
take a look in docs here:
http://docs.splunk.com/Documentation/Splunk/7.0.3/Data/MonitorWindowseventlogdata
start_from

 How events are to be read. Acceptable values are oldest (meaning read logs from the oldest to the newest) and newest (meaning read logs from the newest to the oldest.)
    You cannot set this attribute to newest while also setting the current_only attribute to 1.

hope it helps

JDukeSplunk · ‎04-03-2018

I monitor a set of .log files in C:\logroot and the monitor string obeys ignoreOlderThan. I don't know about WinEventLog.

[monitor://C:\logroot\wc.alfresco.txt]
disabled = 0
sourcetype=alfresco
ignoreOlderThan = 7d
index = idx_appdev

Does ignoreOlderThan work on Windows?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life