I have configured an input through REST API to get data into splunk .Recently I have disabled one input since there was high volume of data coming in.If we enable it back do we get all the historical data , since there is no time stamp? . How to get only the latest data from the time it was enabled and ignore the historical data
Sample event:
[quartzJobExecutor-1] INFO c.c.c.r.c.s.m.i.DataSetMatcherServiceImpl - Computing similarity scores took 0 ms
It depends on the design of the input. The developer should have documented how it works.
It depends on the API being used. Some will return all events if no start time is specified, but have a limit to how far back they will go.
Why do you not have a timestamp? You could set DATETIME_CONFIG = current
for the sourcetype to ensure all events get a timestamp.
The source by default dont have timestamp. If we set DATETIME_CONFIG = current , does it ignore historical data and gets only the data at the time of configuration
DATETIME_CONFIG = current
assigns a timestamp to events as they are indexed. It doesn't affect data already indexed. Having a timestamp on your data means you can pick up where you left off.