We are pulling in DNS debug logs from windows servers and I have a few servers that have been running for awhile, but I have we are now adding inputs to pull in the event logs now. After pushing out the new inputs to the UFs, I noticed that the log files must have data starting around March of this year. At the rate it is ingesting we won't ever catch up and I don't need to be pulling in that old data. We are using the "MonitorNoHandle" within the inputs to do so, but from my research I can't find any switches that will allow me to start collecting the "new" events only going forward. I found that the windows monitors has the "start_from" parameter, but that does not seem to work/apply to the MonitorNoHandle stanza from what I can tell. Are there options I am missing that would do this?
... View more