Hello. We have a pesky entry from 80+ days ago that keeps appearing in our search results. We added the `ignoreOlderThan` setting to the `$SPLUNK_HOME\etc\system\local\inputs.conf` file, but the old entry continues to appear in the search results.
The stanza from the `inputs.conf` looks like this
[monitor://c:\Program Files\Microsoft\device\logs\*\MSDevice_MSCP*.txt]
disabled = false
sourcetype = MSDevice_MSCP-MS
ignoreOlderThan = 2d
For good measure, we also changed the `inputs.conf` file in the app's directory, to look like this:
[monitor://C:\Program Files\Microsoft\device\]
disabled = false
host = bes12
ignoreOlderThan = 48h
And the entry continues to get picked up. Is there any other way I can get Splunk to ignore this (and any other older) entry?
Is there another inputs.conf file that has higher precedence? Should we double up on the backslashes in the `.conf` files?
Thanks for your insights!
↧