Hi,guys,in my scenario,a universal forwarder(UF vertion 4.3.2 for aix) monitores about 700 small files, the cpu usage will be more than 60%. I set a parameter 'ignoreOlderThan=1d' to reduce the cpu usage,but once the modtime of these files changed I want these updated data collected. After this configuration,the data updated in these small files after 23:59:59 till next day will not be collected by splunk agent. So I wanna ask below questions:
1.The mechanism of 'ignoreOlderThan',not up to the file's modtime,but the continuous time that splunk forwarder monitored it since the agent start? Otherwise,why the updated data will be ignored?
2.I did some test,I created a file at 10:00am ,and I set 'ignoreOlderThan=60s' in inputs.conf to monitor it, then I start the agent at 10:05am, this file was still indexed.
I know in the instruction document,it sayes 'ignoreOldThan' checking file by the modtime, but in my case it doesn't work. I haven't tried the current version of splunkforwarder.
... View more