https://community.splunk.com/t5/Getting-Data-In/Why-does-ignoreOlderThan-not-work-after-modification/m-p/599417#M104525 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/245819">@dujas</a>,</P><P>sorry I didn't understand you question!</P><P>let me understand:</P><UL><LI>you configured inputs with ignoreOlder=10d and indexed events,</LI><LI>then you configured inputs with ignoreOlder=30d and indexed events,</LI><LI>then you configured again inputs with ignoreOlder=10d and indexed events,</LI><LI>at the end you have events older than 10d,</LI></UL><P>is this what you did?</P><P>In this way you indexed data older than 10d and passing time you have events older than 10 days, so the indexed events are still in Splunk and you can search them until they go out of the retention period.</P><P>If you want to discard events older than 10 days also in indexes, you have to confiure a retention of 10 days for your index using the "<SPAN>FrozenTimePeriodInSecs" option in indexes.conf in the your_index stanza.</SPAN></P><P>For more infos see at&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Indexesconf" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Indexesconf</A>&nbsp;</P><P>Ciao.</P><P>Giuseppe</P> Thu, 26 May 2022 10:55:40 GMT gcusello 2022-05-26T10:55:40Z https://community.splunk.com/t5/Getting-Data-In/Why-does-ignoreOlderThan-not-work-after-modification/m-p/599374#M104518 <P>Hi All,</P> <P>I set ignoreOlderThan = 10d and it worked as expected, the files older than 10 days were not searched. Once I set that value to 30d, all files came out. So far it is working as expected.</P> <P>However, after I set it back to 10d, there was no difference and all files including those ones older than 10 days came out as well, is this as expected? I have restarted both the UF and server.</P> <P>Thanks.</P> Thu, 26 May 2022 15:06:34 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-ignoreOlderThan-not-work-after-modification/m-p/599374#M104518 dujas 2022-05-26T15:06:34Z https://community.splunk.com/t5/Getting-Data-In/Why-does-ignoreOlderThan-not-work-after-modification/m-p/599378#M104519 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/245819">@dujas</a>,</P><P>olderThan works on the event Timestamp, did you checked the timestamp of the events?</P><P>What's the retention of your index?</P><P>Ciao.</P><P>Giuseppe</P> Thu, 26 May 2022 07:00:08 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-ignoreOlderThan-not-work-after-modification/m-p/599378#M104519 gcusello 2022-05-26T07:00:08Z https://community.splunk.com/t5/Getting-Data-In/Why-does-ignoreOlderThan-not-work-after-modification/m-p/599385#M104520 <P>Hi Giuseppe,</P><P>Thanks for the reply.</P><P>The log files older than 10 days were not updated since then, the modification time is not changed at all.</P><P>Best Regards,</P><P>Jason Du</P> Thu, 26 May 2022 07:58:58 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-ignoreOlderThan-not-work-after-modification/m-p/599385#M104520 dujas 2022-05-26T07:58:58Z https://community.splunk.com/t5/Getting-Data-In/Why-does-ignoreOlderThan-not-work-after-modification/m-p/599417#M104525 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/245819">@dujas</a>,</P><P>sorry I didn't understand you question!</P><P>let me understand:</P><UL><LI>you configured inputs with ignoreOlder=10d and indexed events,</LI><LI>then you configured inputs with ignoreOlder=30d and indexed events,</LI><LI>then you configured again inputs with ignoreOlder=10d and indexed events,</LI><LI>at the end you have events older than 10d,</LI></UL><P>is this what you did?</P><P>In this way you indexed data older than 10d and passing time you have events older than 10 days, so the indexed events are still in Splunk and you can search them until they go out of the retention period.</P><P>If you want to discard events older than 10 days also in indexes, you have to confiure a retention of 10 days for your index using the "<SPAN>FrozenTimePeriodInSecs" option in indexes.conf in the your_index stanza.</SPAN></P><P>For more infos see at&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Indexesconf" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Indexesconf</A>&nbsp;</P><P>Ciao.</P><P>Giuseppe</P> Thu, 26 May 2022 10:55:40 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-ignoreOlderThan-not-work-after-modification/m-p/599417#M104525 gcusello 2022-05-26T10:55:40Z https://community.splunk.com/t5/Getting-Data-In/Why-does-ignoreOlderThan-not-work-after-modification/m-p/599466#M104536 <P>Thanks Giuseppe, this explanation helps me out.</P> Thu, 26 May 2022 17:07:51 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-ignoreOlderThan-not-work-after-modification/m-p/599466#M104536 dujas 2022-05-26T17:07:51Z https://community.splunk.com/t5/Getting-Data-In/Why-does-ignoreOlderThan-not-work-after-modification/m-p/599525#M104545 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/245819">@dujas</a>,</P><P>good for you, see next time!</P><P>If my answer solves your need, please accept it for the other people of Community.</P><P>Ciao and happy splunking.</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Fri, 27 May 2022 06:20:04 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-ignoreOlderThan-not-work-after-modification/m-p/599525#M104545 gcusello 2022-05-27T06:20:04Z