Solved: We can't see events older than a day in Splunk

gba8912 · ‎11-30-2020

hello,

We recently set up Splunk on our system so we are still learning. We have an issue where we are not getting older events in searches. For example: Event id 4625 (failed logon), we can see the event on the same day it happens but the next day, it will not show up.

A few things I have tried:

1. removed the ignore older that 2d line in the inputs.conf file.

2. checked to make sure we are not over on bucket size.

Any suggestions on configuring this correctly? I can post config info if requested.

Thanks

HoardingIO · ‎11-30-2020

Hello! Thanks for the message. I think you will get a better response in the "Using Splunk" (https://community.splunk.com/t5/Using-Splunk/ct-p/use-splunk and specifically) "Reporting" (https://community.splunk.com/t5/Reporting/bd-p/splunk-reporting) categories here. This section is focused on the Observability Suite.

Chris

View solution in original post

HoardingIO · ‎11-30-2020

Hello! Thanks for the message. I think you will get a better response in the "Using Splunk" (https://community.splunk.com/t5/Using-Splunk/ct-p/use-splunk and specifically) "Reporting" (https://community.splunk.com/t5/Reporting/bd-p/splunk-reporting) categories here. This section is focused on the Observability Suite.

Chris

We can't see events older than a day in Splunk

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes