I have added a new host to log to the indexer.
But I just want the last 5 days to be indexed.
So I changed in props.conf file from the forwarder:
MAX DAYS AGO from default 2000 to 5.
Now, when I look at the indexer I can see logs back to Jan. 2014.
Also also changed the value on the indexer himself from MAX DAYS AGO from 2000 to 5, but I still get logfiles indexed which are older than 5 days.
Where I have to change this setting so it works correctly?
Thx
You can use ignoreOlderThan = 5d at Universal Forwarder to restrict indexing of logs older than 5 days.
Hello Michael,
You need to put the configuration at indexer end rather than at forwarder. If you are not using a heavy forwarder the configuration is of no use at forwarder end which doesn't parse your raw data. So put the same setting in indexer which will work as you expect.
Thanks
ok, so I just have to make a copy from $SPLUNK_HOME/etc/system/default/props.conf to $SPLUNK_HOME/etc/system/local/props.conf with the value:
[default]
MAX_DAYS_AGO=5
And it should work?
I have not created any configs, I just changed the setting on the forwarder under: /opt/splunkforwarder/etc/system/default/props.conf from MAX_DAYS_AGO=2000 --> MAX_DAYS_AGO=5, then restarted the splunk service
Can you post the inputs.conf stanza for this input, and any props.conf you've created for this input?
Thank you Luke for your answer!
I´m working on a Linux system, where I have added /var/log as the path for syslogging, can you give me an example how my props.conf should be configured, when I just want to index the last 5 days ago?
This should be set in props.conf in the source or sourcetype stanza for that source or sourcetype on the indexer in etc/system/local/
.
This will only affect new events. Events that are already indexed will still be there.