Is it possible to Backfill vmware Data?

SonOfBuzi · ‎05-25-2022

I have a DCS with Splunk Add-on for VMware with 2 DCN. For some reason, it stopped ingesting data for two days. Is it possible to backfill the data for the two days it missed?

shivanshu1593 · ‎05-25-2022

If you can send that data to Splunk, it should be able to handle it. It will create appropriate buckets and index the data. You'll find error messages like the following in the splunkd.log, but you can ignore them.

A possible timestamp match (Tue May 23 08:01:43 2022) is outside of the acceptable time window.

• Accepted time (Tue May 23 00:33:16 2022) is suspiciously far away from the previous event's time (Thu May 25 14:10:32 2022), but still acceptable because it was extracted by the same pattern Splunk

• Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of the event. Splunk

You can also look into increasing the values for MAX_DIFF_SECS_AGO in props.conf for this sourcetype or just ignore the errors. Your call.

###If this helps, kindly consider accepting as an answer###

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

SonOfBuzi · ‎05-27-2022

My question is if it's possible to backfill data with the the splunk add-on for vmware as far as my research goes it's not possible maybe will add it as a feature request

Is it possible to Backfill vmware Data?

administration

troubleshooting

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...