All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

TrackMe App only show data host from a certain time

Na_Kang_Lim
Explorer
‎05-12-2025 02:56 AM

I am monitoring some of the information from the TrackMe App, and I noticed that for the trackme_host_monitoring lookup AKA the data host monitoring utils of the app, all the hosts I can see had the data_last_time_seen value greater than 04/03. Today is 05/12.

If I use metadata command, I can see the hosts that has not sent log from earlier than 04/03. Like 03/31.

So what config/macro of the app is probably the cause?

Labels (2)
0 Karma
Reply

livehybrid
Super Champion
‎05-16-2025 03:43 PM

Hi @Na_Kang_Lim 

Based on the lookup name, It sounds like you are on TrackMe V1, have you considered upgrading to V2.x? There are a bunch of bug fixes which could be impacting your issue here, and new features you can use in the later versions.

@asimit Im intrigued by the "trackme_max_data_tracker_history" macro - where can I find this? I cant see it in my installation of TrackMe (V1 or V2)! Also the REST endpoint you doesnt seem to exist. 

Reply

guilmxm
Influencer
‎05-17-2025 04:26 AM

Hi @Na_Kang_Lim 

@livehybrid  is 100% right, TrackMe V1 is out of date and unsupported since more than 2 years now, therefore I wouldn't respond on this.
Please consider upgraded to TrackMe V2: https://docs.trackme-solutions.com
there are options to migrate from V1 to V2 (https://docs.trackme-solutions.com/latest/migration_trackmev1.html) but I would suggest to consider a fresh configuration instead rather than migrating stuffs.

0 Karma
Reply

asimit
Path Finder
‎05-16-2025 01:58 PM

Hi @Na_Kang_Lim,

The TrackMe App has a default data retention/tracking period setting that's likely causing you to only see hosts with data_last_time_seen values after 04/03.

This is controlled by the "trackme_max_data_tracker_history" macro which defaults to 30 days of history retention. You can modify this setting to include older hosts:

a. Navigate to Settings > Advanced Search > Search macros
b. Find the macro "trackme_max_data_tracker_history"
c. By default, it's set to "-30d" which means it only tracks 30 days of history
d. Modify this value to extend the period (e.g., "-60d" or "-90d")
e. Save your changes and wait for the next scheduled collection to run

Additionally, check these potential causes:

a. The TrackMe collection might have been reset or reinstalled around 04/03
b. There might be a tracker purge operation scheduled that removes older entries
c. The "Data Sampling" feature might be enabled with a custom time range

You can verify current settings with:

```
| rest /servicesNS/-/trackme/configs/conf-trackme/trackme_gen_settings
| table title value
```

If you need to force TrackMe to rebuild its tracking data:

```
| outputlookup trackme_host_monitoring
```

Please give 👍 for support 😁 happly splunking .... 😎

0 Karma
Reply
Get Updates on the Splunk Community!

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...

Splunk AppDynamics Agents Webinar Series

Mark your calendars! On June 24th at 12PM PST, we’re going live with the second session of our Splunk ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...