As most sources start with the drive or a slash (i.e. The bottom will only match if it is at the beginning of the source. **Note for some reason it is taking out my backslashes so that path looks weird. Yes the top line will match the words 'messages', 'secure' or 'auth' anywhere in the file or folder name. This is what I'd like my nf to look like: Using 'ignoreOlderThan 0d on the forwarders nf file works for retrieving todays logs and does ignore yesterdays, so that is the way to do it. This is my current install: msiexec.exe /i splunkuniversalforwarder_x86.msi /l splunk_install.log RECEIVING_INDEXER=":9997" MONITOR_PATH="C:\Apps\test\Client\testpath\logs" LAUNCHSPLUNK=1 AGREETOLICENSE=Yes /quiet Thanks MuS, So am I correct the only way to do this would be via the REST api Doing a bit more research it almost seems easier to write a script that installs Splunk, copies my nf to the install directory, and restarts Splunk. On top of blacklisting files, you may have rogue systems which spam the heck out of syslog files you care about. If this is not possible, would it be better to complete the install without the monitoring path and then add the monitoring path to nf via REST API? I mention the REST API, because when checking the CLI it didn't appear to support ignoreOlderThan setting. Earlier we used the blacklist directive in nf to keep files away from Splunk (be prepared to leverage this extensively if you're pointing Splunk at a directory). You can see below I am specifying the monitoring path during the silent install but I don't see a way to configure the ignoreOlderThan setting. Hi ncarnevali, Thats not correct, the REST api supports ignoreOlderThan but it is called ignore-older-than in REST. restartSplunkd false If true, restarts splunkd on the client when a member app or. By adding the following settings to the serverclass, Splunk will opportunistically reload (and issue a restart if the objects are not reloadable). I would like to configure ignoreOlderThan = 1d within my default settings within nf during the silent command line install of the Splunk universal forwarder. In Splunk 6.4 and greater, the Universal Forwarder is reloadable via the nf.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |