Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I index an event older than 10951 days if that is the max value of MAX_DAYS_AGO?

akanno
Communicator
‎11-10-2015 01:10 AM

Hi all.

Say I want to index an event from "10/1/1970", but the max value of 「MAX_DAYS_AGO is 10951.
So, I cannot index the event of "10/1/1970", because the event of "10/1/1970" is older than 10951 days.

How can I index an event from more than 10951 days ago?

thanks.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎11-10-2015 01:15 AM

10951 is the current maximum for this setting. You cannot increase it beyond this value.

MAX_DAYS_AGO =
* Specifies the maximum number of days past, from the current date, that an
extracted date can be valid.
* For example, if MAX_DAYS_AGO = 10, Splunk ignores dates that are older
than 10 days ago.
* Defaults to 2000 (days), maximum 10951.
* IMPORTANT: If your data is older than 2000 days, increase this setting.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎11-10-2015 01:15 AM

10951 is the current maximum for this setting. You cannot increase it beyond this value.

MAX_DAYS_AGO =
* Specifies the maximum number of days past, from the current date, that an
extracted date can be valid.
* For example, if MAX_DAYS_AGO = 10, Splunk ignores dates that are older
than 10 days ago.
* Defaults to 2000 (days), maximum 10951.
* IMPORTANT: If your data is older than 2000 days, increase this setting.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

akanno
Communicator
‎11-10-2015 05:01 PM

Thank you for reply exix.
I see that I cannot index an event from "10/1/1970"
Thank you.

0 Karma
Reply
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.

Get Updates on the Splunk Community!