Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does ignoreOlderThan not work after modification?

dujas
Explorer
‎05-25-2022 11:47 PM

Hi All,

I set ignoreOlderThan = 10d and it worked as expected, the files older than 10 days were not searched. Once I set that value to 30d, all files came out. So far it is working as expected.

However, after I set it back to 10d, there was no difference and all files including those ones older than 10 days came out as well, is this as expected? I have restarted both the UF and server.

Thanks.

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-26-2022 03:55 AM

Hi @dujas,

sorry I didn't understand you question!

let me understand:

  • you configured inputs with ignoreOlder=10d and indexed events,
  • then you configured inputs with ignoreOlder=30d and indexed events,
  • then you configured again inputs with ignoreOlder=10d and indexed events,
  • at the end you have events older than 10d,

is this what you did?

In this way you indexed data older than 10d and passing time you have events older than 10 days, so the indexed events are still in Splunk and you can search them until they go out of the retention period.

If you want to discard events older than 10 days also in indexes, you have to confiure a retention of 10 days for your index using the "FrozenTimePeriodInSecs" option in indexes.conf in the your_index stanza.

For more infos see at https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Indexesconf 

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-26-2022 12:00 AM

Hi @dujas,

olderThan works on the event Timestamp, did you checked the timestamp of the events?

What's the retention of your index?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

dujas
Explorer
‎05-26-2022 12:58 AM

Hi Giuseppe,

Thanks for the reply.

The log files older than 10 days were not updated since then, the modification time is not changed at all.

Best Regards,

Jason Du

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-26-2022 03:55 AM

Hi @dujas,

sorry I didn't understand you question!

let me understand:

  • you configured inputs with ignoreOlder=10d and indexed events,
  • then you configured inputs with ignoreOlder=30d and indexed events,
  • then you configured again inputs with ignoreOlder=10d and indexed events,
  • at the end you have events older than 10d,

is this what you did?

In this way you indexed data older than 10d and passing time you have events older than 10 days, so the indexed events are still in Splunk and you can search them until they go out of the retention period.

If you want to discard events older than 10 days also in indexes, you have to confiure a retention of 10 days for your index using the "FrozenTimePeriodInSecs" option in indexes.conf in the your_index stanza.

For more infos see at https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Indexesconf 

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

dujas
Explorer
‎05-26-2022 10:07 AM

Thanks Giuseppe, this explanation helps me out.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-26-2022 11:20 PM

Hi @dujas,

good for you, see next time!

If my answer solves your need, please accept it for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...