- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- props.conf MAX DAYS AGO editing on indexer or forw...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
props.conf MAX DAYS AGO editing on indexer or forwarder?
I have added a new host to log to the indexer.
But I just want the last 5 days to be indexed.
So I changed in props.conf file from the forwarder:
MAX DAYS AGO from default 2000 to 5.
Now, when I look at the indexer I can see logs back to Jan. 2014.
Also also changed the value on the indexer himself from MAX DAYS AGO from 2000 to 5, but I still get logfiles indexed which are older than 5 days.
Where I have to change this setting so it works correctly?
Thx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use ignoreOlderThan = 5d at Universal Forwarder to restrict indexing of logs older than 5 days.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Michael,
You need to put the configuration at indexer end rather than at forwarder. If you are not using a heavy forwarder the configuration is of no use at forwarder end which doesn't parse your raw data. So put the same setting in indexer which will work as you expect.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok, so I just have to make a copy from $SPLUNK_HOME/etc/system/default/props.conf to $SPLUNK_HOME/etc/system/local/props.conf with the value:
[default]
MAX_DAYS_AGO=5
And it should work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have not created any configs, I just changed the setting on the forwarder under: /opt/splunkforwarder/etc/system/default/props.conf from MAX_DAYS_AGO=2000 --> MAX_DAYS_AGO=5, then restarted the splunk service
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you post the inputs.conf stanza for this input, and any props.conf you've created for this input?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Luke for your answer!
I´m working on a Linux system, where I have added /var/log as the path for syslogging, can you give me an example how my props.conf should be configured, when I just want to index the last 5 days ago?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This should be set in props.conf in the source or sourcetype stanza for that source or sourcetype on the indexer in etc/system/local/.
This will only affect new events. Events that are already indexed will still be there.
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
