https://community.splunk.com/t5/Splunk-Search/what-can-be-done-to-keep-the-past-in-the-past/m-p/331117#M162572 <P>Thanks for your reply, but here the issue is not related to re-indexing. </P> <P>My bad, may be I should have put more information. </P> <P>Example : </P> <P>we have some server X , Y </P> <P>and these 2 servers have log files with year old data. </P> <P>I installed the fwd and start getting logs from these 2 machines. Now the issue is the logs which is already associated with old or last year time stamps when indexed In spunk will take current time. </P> <P>example : </P> <P>event 03/06/017 xyzzy .......... login attempt. </P> <P>during the index time it will take the current time not the actual event time.</P> <P>So do we have any way of these types of events already indexed we can setup the indexed time same as event time ?</P> Tue, 06 Mar 2018 07:13:00 GMT raomu 2018-03-06T07:13:00Z https://community.splunk.com/t5/Splunk-Search/what-can-be-done-to-keep-the-past-in-the-past/m-p/331113#M162568 <P>Hello, </P> <P>For the past couple of weeks, we’ve seen events from the past being recently indexed. I assume that these few of the boxes were just powered up, and because of the forwarding infrastructure, that these are “current” events? <BR /> what can be done to keep the past in the past?</P> <P>Thanks.</P> Tue, 06 Mar 2018 03:03:00 GMT https://community.splunk.com/t5/Splunk-Search/what-can-be-done-to-keep-the-past-in-the-past/m-p/331113#M162568 raomu 2018-03-06T03:03:00Z https://community.splunk.com/t5/Splunk-Search/what-can-be-done-to-keep-the-past-in-the-past/m-p/331114#M162569 <P>Hi, do you have a single source from where data is coming or multiple sources?</P> Tue, 06 Mar 2018 05:41:00 GMT https://community.splunk.com/t5/Splunk-Search/what-can-be-done-to-keep-the-past-in-the-past/m-p/331114#M162569 MousumiChowdhur 2018-03-06T05:41:00Z https://community.splunk.com/t5/Splunk-Search/what-can-be-done-to-keep-the-past-in-the-past/m-p/331115#M162570 <P>single source.</P> Tue, 06 Mar 2018 06:23:20 GMT https://community.splunk.com/t5/Splunk-Search/what-can-be-done-to-keep-the-past-in-the-past/m-p/331115#M162570 raomu 2018-03-06T06:23:20Z https://community.splunk.com/t5/Splunk-Search/what-can-be-done-to-keep-the-past-in-the-past/m-p/331116#M162571 <P>Hi, If you have used <CODE>crcSalt = &lt;SOURCE&gt;</CODE> from your <CODE>inputs.conf</CODE> then you should remove that if you your files get rotated after a certain time duration. Setting <CODE>crcSalt</CODE> in such case will cause re-indexing of your data.</P> <P>Thanks!</P> Tue, 06 Mar 2018 07:02:04 GMT https://community.splunk.com/t5/Splunk-Search/what-can-be-done-to-keep-the-past-in-the-past/m-p/331116#M162571 MousumiChowdhur 2018-03-06T07:02:04Z https://community.splunk.com/t5/Splunk-Search/what-can-be-done-to-keep-the-past-in-the-past/m-p/331117#M162572 <P>Thanks for your reply, but here the issue is not related to re-indexing. </P> <P>My bad, may be I should have put more information. </P> <P>Example : </P> <P>we have some server X , Y </P> <P>and these 2 servers have log files with year old data. </P> <P>I installed the fwd and start getting logs from these 2 machines. Now the issue is the logs which is already associated with old or last year time stamps when indexed In spunk will take current time. </P> <P>example : </P> <P>event 03/06/017 xyzzy .......... login attempt. </P> <P>during the index time it will take the current time not the actual event time.</P> <P>So do we have any way of these types of events already indexed we can setup the indexed time same as event time ?</P> Tue, 06 Mar 2018 07:13:00 GMT https://community.splunk.com/t5/Splunk-Search/what-can-be-done-to-keep-the-past-in-the-past/m-p/331117#M162572 raomu 2018-03-06T07:13:00Z https://community.splunk.com/t5/Splunk-Search/what-can-be-done-to-keep-the-past-in-the-past/m-p/331118#M162573 <P>Hi @raomu,</P> <P>You can keep the configuration <CODE>DATETIME_CONFIG =</CODE> blank in props.conf instead of setting it to <CODE>CURRENT</CODE> or <CODE>NONE</CODE> that will consider the timestamp of the event.</P> <P>For your reference <A href="https://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/Propsconf">https://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/Propsconf</A></P> <P>Thanks. Let me know if that helps.</P> Tue, 06 Mar 2018 07:30:21 GMT https://community.splunk.com/t5/Splunk-Search/what-can-be-done-to-keep-the-past-in-the-past/m-p/331118#M162573 MousumiChowdhur 2018-03-06T07:30:21Z