I have added a new host to log to the indexer.
But I just want the last 5 days to be indexed.
So I changed in props.conf file from the forwarder:
MAX DAYS AGO from default 2000 to 5.
Now, when I look at the indexer I can see logs back to Jan. 2014.
Also also changed the value on the indexer himself from MAX DAYS AGO from 2000 to 5, but I still get logfiles indexed which are older than 5 days.
Where I have to change this setting so it works correctly?
You need to put the configuration at indexer end rather than at forwarder. If you are not using a heavy forwarder the configuration is of no use at forwarder end which doesn't parse your raw data. So put the same setting in indexer which will work as you expect.
I have not created any configs, I just changed the setting on the forwarder under: /opt/splunkforwarder/etc/system/default/props.conf from MAXDAYSAGO=2000 --> MAXDAYSAGO=5, then restarted the splunk service
Thank you Luke for your answer!
I´m working on a Linux system, where I have added /var/log as the path for syslogging, can you give me an example how my props.conf should be configured, when I just want to index the last 5 days ago?
This should be set in props.conf in the source or sourcetype stanza for that source or sourcetype on the indexer in
This will only affect new events. Events that are already indexed will still be there.