Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does ignoreOlderThan not work after modification?

dujas
Explorer
‎05-25-2022 11:47 PM

Hi All,

I set ignoreOlderThan = 10d and it worked as expected, the files older than 10 days were not searched. Once I set that value to 30d, all files came out. So far it is working as expected.

However, after I set it back to 10d, there was no difference and all files including those ones older than 10 days came out as well, is this as expected? I have restarted both the UF and server.

Thanks.

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-26-2022 03:55 AM

Hi @dujas,

sorry I didn't understand you question!

let me understand:

  • you configured inputs with ignoreOlder=10d and indexed events,
  • then you configured inputs with ignoreOlder=30d and indexed events,
  • then you configured again inputs with ignoreOlder=10d and indexed events,
  • at the end you have events older than 10d,

is this what you did?

In this way you indexed data older than 10d and passing time you have events older than 10 days, so the indexed events are still in Splunk and you can search them until they go out of the retention period.

If you want to discard events older than 10 days also in indexes, you have to confiure a retention of 10 days for your index using the "FrozenTimePeriodInSecs" option in indexes.conf in the your_index stanza.

For more infos see at https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Indexesconf 

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-26-2022 12:00 AM

Hi @dujas,

olderThan works on the event Timestamp, did you checked the timestamp of the events?

What's the retention of your index?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

dujas
Explorer
‎05-26-2022 12:58 AM

Hi Giuseppe,

Thanks for the reply.

The log files older than 10 days were not updated since then, the modification time is not changed at all.

Best Regards,

Jason Du

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-26-2022 03:55 AM

Hi @dujas,

sorry I didn't understand you question!

let me understand:

  • you configured inputs with ignoreOlder=10d and indexed events,
  • then you configured inputs with ignoreOlder=30d and indexed events,
  • then you configured again inputs with ignoreOlder=10d and indexed events,
  • at the end you have events older than 10d,

is this what you did?

In this way you indexed data older than 10d and passing time you have events older than 10 days, so the indexed events are still in Splunk and you can search them until they go out of the retention period.

If you want to discard events older than 10 days also in indexes, you have to confiure a retention of 10 days for your index using the "FrozenTimePeriodInSecs" option in indexes.conf in the your_index stanza.

For more infos see at https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Indexesconf 

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

dujas
Explorer
‎05-26-2022 10:07 AM

Thanks Giuseppe, this explanation helps me out.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-26-2022 11:20 PM

Hi @dujas,

good for you, see next time!

If my answer solves your need, please accept it for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...