product
service
- Simple Security Consulting [Consulting]
- Splunk SOAR Automation Assessment Service [Consulting]
- Dashboard/SPL Creation Pack [Implementation/Building Support]
- Version upgrade service [implementation and construction support]
- Splunk Premium Apps construction support service [implementation and construction support]
- Splunk Security Log Analysis Start Package [Original App/Service]
- Splunk × CrowdStrike Falcon Insight, Macnica Original App [Original App/Service]
- Government uniform standard compatible App [Original App/Service]
- Smart Security Monitoring App [Original App/Service]
- Splunk × LANSCOPE Original App [Original App/Service]
- Security Monitoring App for Box [Original App/Service]
- Cloud Security Monitoring App [Original App/Service]
- SIEM Operation Monitoring Service [Original App/Service]
- List of services
- Macnica Premium Support for Splunk (utilization support, version upgrade monitoring)
- Macnica Premium Support for Splunk Skill Up Package
Specifications/Technical Information
Application for evaluation machine
- FAQ
How not to import files older than a certain time (using ignoreOlderThan)
- release date
- 2018-06-05
- last updated
- 2024-03-04
- version
- Splunk Enterprise 9.0.5
- Overview
- How to use ignoreOlderThan parameter in inputs.conf to not bring in files older than a certain time
- content
-
If you set the ignoreOlderThan parameter in inputs.conf, Splunk will not fetch files whose modification time is older than the set reference time.
example inputs.conf configuration
[monitor:///var/log/abc/xyz.log]
sourcetype = test
ignoreOlderThan = 1dThe reference date and time for the time specified in ignoreOlderThan is the time when the Splunk service starts, reflecting the above settings.
This criteria will not change unless Splunk is started/restarted, causing the configuration to be reloaded.For example, if you set ignoreOlderThan=1d as described above on 2023/6/2 00:00:00, and the update date and time of the /var/log/abc/xyz.log file is earlier than 2023/6/1 00:00:00, it will be excluded from being imported into Splunk.
※important point※
The time range criteria specified by ignoreOlderThan will be updated to the date and time of the restart when Splunk is restarted.
For more details on the contents of this FAQ, please refer to the reference materials below.How to check the configuration file
To check whether the settings in inputs.conf have been reflected correctly, run the following command and check whether the settings are displayed.
$SPLUNK_HOME/bin/splunk cmd btool inputs list
*$SPLUNK_HOME is the installation directory. By default it is as follows.
<Linux>
Splunk Enterprise : /opt/splunk
Universal Forwarder : /opt/splunkforwarder<Windows>
Splunk Enterprise : C:\Program Files\Splunk
Universal Forwarder : C:\Program Files\SplunkUniversalForwarderthat's all
In charge of Macnica Splunk Co., Ltd.
- TEL:045-476-2010
- E-mail:splunk-sales@macnica.co.jp
Mon-Fri 8:45-17:30