Hi gcusello,

I tried ignoreOlderThan option in inputs.conf like below:

host = TESTSERVER
index = serverlogs
sourcetype = serverlogs:json
ignoreOlderThan = 14d
recursive = true

Is that okay? Should I use any other solution?

Hi @phudinhha ,

this is the solution.

Remember to restart Splunk on Forwarder after update.

Ciao.

Giuseppe

hi @gcusello 

I tried but the log stopped coming in for that index. I did restart my whole splunk and still nothing happen. I checked the colddb and db and nothing new added.

in the index, I set up the storage optimization long time ago, and it Reduce tsidx files older than values is 21 days. Is that the root cause ?

Hi @phudinhha ,

I don't think, but try to enlarge it.

Check also what's the date format of your logs: if it's dd/mm/yyyy, in the first days of each month there could be a problem related to the Splunk default date format (mm/dd/yyyy).

You can check this viewing logs on operative system and/or searching logs of 1st July on the 7th of January.

Ciao.

Giuseppe

I use "_index_earliest = -15m" and found that they're ingesting log with this format key_name="20200106/20200106T111000Z_20200106T111500Z_8ce5e9c5.log.gz"

However, when i do index=serverlogs, I saw log of July-2nd as well.

Where can we go to check the default splunk format?

Hi @phudinhha ,

you should correctly define the TIME_FORMAT and the TIME_PREFIX for your sourcetype.

If you share an example of your your logs and the indication of which is the correct timestamp to take I could help you.

Ciao.

Giuseppe