What is the valid option for a [monitor] stanza in inputs.conf?
What is the valid option for a [monitor] stanza in inputs.conf?
In the context of the Splunk inputs.conf file for a [monitor] stanza, 'ignoreOlderThan' is a valid option. This parameter specifies that the input should stop monitoring files if their modification time has passed the defined time window. This helps in managing resource usage by ignoring files that are no longer updated. This capability is particularly useful for large log directories where you may not need to track very old log files.
answer : d
Per the Splunk docs / provided URL reference, scroll down to Monitor syntax Setting: ignoreOlderThan = <time_window> Description: "Causes the input to stop checking files for updates if the file modification time has passed the <time_window> threshold." Default: 0 (disabled)
Well explained, thank you
D is correct