Solved: How can I index an event older than 10951 days if ...

akanno · ‎11-10-2015

Hi all.

Say I want to index an event from "10/1/1970", but the max value of 「MAX_DAYS_AGO is 10951.
So, I cannot index the event of "10/1/1970", because the event of "10/1/1970" is older than 10951 days.

How can I index an event from more than 10951 days ago?

thanks.

esix_splunk · ‎11-10-2015

10951 is the current maximum for this setting. You cannot increase it beyond this value.

MAX_DAYS_AGO =
* Specifies the maximum number of days past, from the current date, that an
extracted date can be valid.
* For example, if MAX_DAYS_AGO = 10, Splunk ignores dates that are older
than 10 days ago.
* Defaults to 2000 (days), maximum 10951.
* IMPORTANT: If your data is older than 2000 days, increase this setting.

View solution in original post

esix_splunk · ‎11-10-2015

10951 is the current maximum for this setting. You cannot increase it beyond this value.

MAX_DAYS_AGO =
* Specifies the maximum number of days past, from the current date, that an
extracted date can be valid.
* For example, if MAX_DAYS_AGO = 10, Splunk ignores dates that are older
than 10 days ago.
* Defaults to 2000 (days), maximum 10951.
* IMPORTANT: If your data is older than 2000 days, increase this setting.

akanno · ‎11-10-2015

Thank you for reply exix.
I see that I cannot index an event from "10/1/1970"
Thank you.

How can I index an event older than 10951 days if that is the max value of MAX_DAYS_AGO?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?