Set forwarder to Ignore previous logs

Navanitha · ‎11-03-2016

We have the forwarder installed on a RHEL server to pull the kern messages into Splunk. The requirement is Splunk should not pull the logs when the server or Splunk service is down (meaning generally when a server is rebooted, splunk will go back to the history where it has stopped reading the logs and then pull the logs from there till recent), We don't want splunk to do that, so it should now pull logs only from the current time when the server or the splunk service has come up. Is there a way we can do this? There is no schedule for a reboot, it might be on adhoc basis.

ddrillic · ‎11-03-2016

Right, you can set the ignoreOlderThan for few minutes. On a regular basis, you take a risk here that if the forwarder hasn't completed its job, you might lose data.

Another way, it that upon reboot, you automatically adjust the ignoreOlderThan to 0 minutes. You can adjust your boot start script to take care of it.

hunters_splunk · ‎11-03-2016

Hi Richgalloway,

You can try adding the following setting in inputs.conf:

ignoreOlderThan = [s|m|h|d]
* The monitor input will compare the modification time on files it encounters
with the current time. If the time elapsed since the modification time
is greater than this setting, it will be placed on the ignore list.
* Files placed on the ignore list will not be checked again for any
reason until the Splunk software restarts, or the file monitoring subsystem
is reconfigured. This is true even if the file becomes newer again at a
later time.

Hope it helps. Thanks!
Hunter

Set forwarder to Ignore previous logs

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases