What is the file and variable in "Splunk Add-on AW...

acceo_purch · ‎02-15-2023

Hi,

Please, Can some one let me know what is the file and variable in "Splunk Add-on AWS" for S3, that limits the ingestion of files to 1 hour? I didn't find in inputs.conf file any variable that limits the ingestion of files to 1 hour.

We need to index older files from S3 bucket but "Splunk Add-on AWS" only let index the last hour.

This is the inputs.conf file

[aws_s3://cloud-logs]
aws_account = abc
aws_s3_region = us-east-1
bucket_name = f-logs
character_set = auto
ct_blacklist = ^$
host_name = s3.us-east-1.amazonaws.com
index = cloud
initial_scan_datetime = 2022-01-14T15:59:18Z
max_items = 100000
max_retries = 3
polling_interval = 300
private_endpoint_enabled = 0
recursion_depth = -1
sourcetype = cloud:json
disabled = 0

Regards

Edgard Patino

nyc_jason · ‎02-17-2023

Are you looking for log_start_date? See here in the example (which has it under setting up from the UI, though can should be able to do it directly when editing the .conf files too) https://docs.splunk.com/Documentation/AddOns/released/AWS/S3#Configure_a_Generic_S3_input_using_conf...

What is the file and variable in "Splunk Add-on AWS" for S3, that limits the ingestion of files to 1 hour?

modular input

other

scripted input

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases