topic Re: props.conf MAX DAYS AGO editing on indexer or forwarder? in Deployment Architecture

props.conf MAX DAYS AGO editing on indexer or forwarder?

Michael0 — Wed, 19 Mar 2014 13:38:58 GMT

I have added a new host to log to the indexer.

But I just want the last 5 days to be indexed.

So I changed in props.conf file from the forwarder:

MAX DAYS AGO from default 2000 to 5.

Now, when I look at the indexer I can see logs back to Jan. 2014.

Also also changed the value on the indexer himself from MAX DAYS AGO from 2000 to 5, but I still get logfiles indexed which are older than 5 days.

Where I have to change this setting so it works correctly?

Thx

Re: props.conf MAX DAYS AGO editing on indexer or forwarder?

lukejadamec — Wed, 19 Mar 2014 14:55:17 GMT

This should be set in props.conf in the source or sourcetype stanza for that source or sourcetype on the indexer in etc/system/local/.
This will only affect new events. Events that are already indexed will still be there.

Re: props.conf MAX DAYS AGO editing on indexer or forwarder?

Michael0 — Wed, 19 Mar 2014 15:01:09 GMT

Thank you Luke for your answer!
I´m working on a Linux system, where I have added /var/log as the path for syslogging, can you give me an example how my props.conf should be configured, when I just want to index the last 5 days ago?

Re: props.conf MAX DAYS AGO editing on indexer or forwarder?

lukejadamec — Wed, 19 Mar 2014 15:40:21 GMT

Can you post the inputs.conf stanza for this input, and any props.conf you've created for this input?

Re: props.conf MAX DAYS AGO editing on indexer or forwarder?

Michael0 — Mon, 28 Sep 2020 16:11:20 GMT

I have not created any configs, I just changed the setting on the forwarder under: /opt/splunkforwarder/etc/system/default/props.conf from MAX_DAYS_AGO=2000 --> MAX_DAYS_AGO=5, then restarted the splunk service

Re: props.conf MAX DAYS AGO editing on indexer or forwarder?

linu1988 — Thu, 20 Mar 2014 09:43:05 GMT

Hello Michael,
You need to put the configuration at indexer end rather than at forwarder. If you are not using a heavy forwarder the configuration is of no use at forwarder end which doesn't parse your raw data. So put the same setting in indexer which will work as you expect.

Thanks

Re: props.conf MAX DAYS AGO editing on indexer or forwarder?

Michael0 — Mon, 28 Sep 2020 16:11:29 GMT

ok, so I just have to make a copy from $SPLUNK_HOME/etc/system/default/props.conf to $SPLUNK_HOME/etc/system/local/props.conf with the value:
[default]
MAX_DAYS_AGO=5

And it should work?

Re: props.conf MAX DAYS AGO editing on indexer or forwarder?

vigneshnarendra — Mon, 12 Oct 2020 07:10:25 GMT

You can use ignoreOlderThan = 5d at Universal Forwarder to restrict indexing of logs older than 5 days.