If you set the ignoreOlderThan parameter in inputs.conf, Splunk will not fetch files whose modification time is older than the set reference time.

example inputs.conf configuration

[monitor:///var/log/abc/xyz.log]
sourcetype = test
ignoreOlderThan = 1d

The reference date and time for the time specified in ignoreOlderThan is the time when the Splunk service starts, reflecting the above settings.
This criteria will not change unless Splunk is started/restarted, causing the configuration to be reloaded.

For example, if you set ignoreOlderThan=1d as described above on 2023/6/2 00:00:00, and the update date and time of the /var/log/abc/xyz.log file is earlier than 2023/6/1 00:00:00, it will be excluded from being imported into Splunk.

※important point※

The time range criteria specified by ignoreOlderThan will be updated to the date and time of the restart when Splunk is restarted.
For more details on the contents of this FAQ, please refer to the reference materials below.

How to check the configuration file

To check whether the settings in inputs.conf have been reflected correctly, run the following command and check whether the settings are displayed.

$SPLUNK_HOME/bin/splunk cmd btool inputs list

*$SPLUNK_HOME is the installation directory. By default it is as follows.

<Linux>

Splunk Enterprise : /opt/splunk
Universal Forwarder : /opt/splunkforwarder

<Windows>

Splunk Enterprise : C:\Program Files\Splunk
Universal Forwarder : C:\Program Files\SplunkUniversalForwarder