All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

TrackMe App only show data host from a certain time

Na_Kang_Lim
Path Finder
‎05-12-2025 02:56 AM

I am monitoring some of the information from the TrackMe App, and I noticed that for the trackme_host_monitoring lookup AKA the data host monitoring utils of the app, all the hosts I can see had the data_last_time_seen value greater than 04/03. Today is 05/12.

If I use metadata command, I can see the hosts that has not sent log from earlier than 04/03. Like 03/31.

So what config/macro of the app is probably the cause?

Labels (2)
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎05-16-2025 03:43 PM

Hi @Na_Kang_Lim 

Based on the lookup name, It sounds like you are on TrackMe V1, have you considered upgrading to V2.x? There are a bunch of bug fixes which could be impacting your issue here, and new features you can use in the later versions.

@asimit Im intrigued by the "trackme_max_data_tracker_history" macro - where can I find this? I cant see it in my installation of TrackMe (V1 or V2)! Also the REST endpoint you doesnt seem to exist. 

Reply

guilmxm
Influencer
‎05-17-2025 04:26 AM

Hi @Na_Kang_Lim 

@livehybrid  is 100% right, TrackMe V1 is out of date and unsupported since more than 2 years now, therefore I wouldn't respond on this.
Please consider upgraded to TrackMe V2: https://docs.trackme-solutions.com
there are options to migrate from V1 to V2 (https://docs.trackme-solutions.com/latest/migration_trackmev1.html) but I would suggest to consider a fresh configuration instead rather than migrating stuffs.

0 Karma
Reply

asimit
Path Finder
‎05-16-2025 01:58 PM

Hi @Na_Kang_Lim,

The TrackMe App has a default data retention/tracking period setting that's likely causing you to only see hosts with data_last_time_seen values after 04/03.

This is controlled by the "trackme_max_data_tracker_history" macro which defaults to 30 days of history retention. You can modify this setting to include older hosts:

a. Navigate to Settings > Advanced Search > Search macros
b. Find the macro "trackme_max_data_tracker_history"
c. By default, it's set to "-30d" which means it only tracks 30 days of history
d. Modify this value to extend the period (e.g., "-60d" or "-90d")
e. Save your changes and wait for the next scheduled collection to run

Additionally, check these potential causes:

a. The TrackMe collection might have been reset or reinstalled around 04/03
b. There might be a tracker purge operation scheduled that removes older entries
c. The "Data Sampling" feature might be enabled with a custom time range

You can verify current settings with:

```
| rest /servicesNS/-/trackme/configs/conf-trackme/trackme_gen_settings
| table title value
```

If you need to force TrackMe to rebuild its tracking data:

```
| outputlookup trackme_host_monitoring
```

Please give 👍 for support 😁 happly splunking .... 😎

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...