Dear Team,
I had an issue with splunk and had to follow this post:
to make my splunk works again. However, now Splunk will ingest logs from the beginning of everything. How do I make splunk to ingest logs from the last 7 days / 14 days.
I'm pretty new with Splunk so I really appreciate every input from you guys.
Hi @phudinhha ,
did you tried with ignoreOlderThan option in inputs.conf?
For more infos see at https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Inputsconf
Ciao.
Giuseppe
Hi gcusello,
I tried ignoreOlderThan option in inputs.conf like below:
host = TESTSERVER
index = serverlogs
sourcetype = serverlogs:json
ignoreOlderThan = 14d
recursive = true
Is that okay? Should I use any other solution?
Hi @phudinhha ,
this is the solution.
Remember to restart Splunk on Forwarder after update.
Ciao.
Giuseppe
hi @gcusello
I tried but the log stopped coming in for that index. I did restart my whole splunk and still nothing happen. I checked the colddb and db and nothing new added.
in the index, I set up the storage optimization long time ago, and it Reduce tsidx files older than values is 21 days. Is that the root cause ?
Hi @phudinhha ,
I don't think, but try to enlarge it.
Check also what's the date format of your logs: if it's dd/mm/yyyy, in the first days of each month there could be a problem related to the Splunk default date format (mm/dd/yyyy).
You can check this viewing logs on operative system and/or searching logs of 1st July on the 7th of January.
Ciao.
Giuseppe
I use "_index_earliest = -15m" and found that they're ingesting log with this format key_name="20200106/20200106T111000Z_20200106T111500Z_8ce5e9c5.log.gz"
However, when i do index=serverlogs, I saw log of July-2nd as well.
Where can we go to check the default splunk format?
Hi @phudinhha ,
you should correctly define the TIME_FORMAT and the TIME_PREFIX for your sourcetype.
If you share an example of your your logs and the indication of which is the correct timestamp to take I could help you.
Ciao.
Giuseppe
Check from props.conf how to use MAX_DAYS_AGO. It defines how old data splunk will accepts.