We had to shut down SplunkTAopseclea as we worked to manage our data flow. We are ready to restart the forwarder but I want to ignore the history. What is the best way to do that.
We tried ignoreOlderThan = 1d when we setup the app last week but the indexer refused to start (unfortunately I don't have the error info on that)
Maybe someone has some insight regarding the OPSEC app that would try to help us...we just want to get the forwarder started without a huge inrush of data.
Have you tried adding this to props.conf:
MAX_DAYS_AGO = <integer> * Specifies the maximum number of days past, from the current date, that an extracted date can be valid. * For example, if MAX_DAYS_AGO = 10, Splunk ignores dates that are older than 10 days ago. * Defaults to 2000 (days), maximum 10951. * IMPORTANT: If your data is older than 2000 days, increase this setting.
Same issue here, but changing the PROPS.conf didn't help.
Tried to add the MAXDAYSAGO in the [DEFAULT], or even in each stanza.
Additional info, I'm working with a Heavy Forwarded.