I had an issue with splunk and had to follow this post:
to make my splunk works again. However, now Splunk will ingest logs from the beginning of everything. How do I make splunk to ingest logs from the last 7 days / 14 days.
I'm pretty new with Splunk so I really appreciate every input from you guys.
I tried ignoreOlderThan option in inputs.conf like below:
host = TESTSERVER
index = serverlogs
sourcetype = serverlogs:json
ignoreOlderThan = 14d
recursive = true
Is that okay? Should I use any other solution?
I tried but the log stopped coming in for that index. I did restart my whole splunk and still nothing happen. I checked the colddb and db and nothing new added.
in the index, I set up the storage optimization long time ago, and it Reduce tsidx files older than values is 21 days. Is that the root cause ?
Hi @phudinhha ,
I don't think, but try to enlarge it.
Check also what's the date format of your logs: if it's dd/mm/yyyy, in the first days of each month there could be a problem related to the Splunk default date format (mm/dd/yyyy).
You can check this viewing logs on operative system and/or searching logs of 1st July on the 7th of January.
I use "_index_earliest = -15m" and found that they're ingesting log with this format key_name="20200106/20200106T111000Z_20200106T111500Z_8ce5e9c5.log.gz"
However, when i do index=serverlogs, I saw log of July-2nd as well.
Where can we go to check the default splunk format?
Hi @phudinhha ,
you should correctly define the TIME_FORMAT and the TIME_PREFIX for your sourcetype.
If you share an example of your your logs and the indication of which is the correct timestamp to take I could help you.