We had to shut down Splunk_TA_opseclea as we worked to manage our data flow. We are ready to restart the forwarder but I want to ignore the history. What is the best way to do that.
We tried ignoreOlderThan = 1d when we setup the app last week but the indexer refused to start (unfortunately I don't have the error info on that)
Maybe someone has some insight regarding the OPSEC app that would try to help us...we just want to get the forwarder started without a huge inrush of data.
Thanks
Have you tried adding this to props.conf:
MAX_DAYS_AGO = <integer>
* Specifies the maximum number of days past, from the current date, that an extracted date
can be valid.
* For example, if MAX_DAYS_AGO = 10, Splunk ignores dates that are older than 10 days ago.
* Defaults to 2000 (days), maximum 10951.
* IMPORTANT: If your data is older than 2000 days, increase this setting.
http://docs.splunk.com/Documentation/Splunk/6.0.2/Admin/Propsconf
Hi,
Same issue here, but changing the PROPS.conf didn't help.
Tried to add the MAX_DAYS_AGO in the [DEFAULT], or even in each stanza.
Additional info, I'm working with a Heavy Forwarded.
Thanks
Have you tried adding this to props.conf:
MAX_DAYS_AGO = <integer>
* Specifies the maximum number of days past, from the current date, that an extracted date
can be valid.
* For example, if MAX_DAYS_AGO = 10, Splunk ignores dates that are older than 10 days ago.
* Defaults to 2000 (days), maximum 10951.
* IMPORTANT: If your data is older than 2000 days, increase this setting.
http://docs.splunk.com/Documentation/Splunk/6.0.2/Admin/Propsconf
Thanks,
that worked!