Getting Data In

Why does ignoreOlderThan not work after modification?

dujas
Explorer

Hi All,

I set ignoreOlderThan = 10d and it worked as expected, the files older than 10 days were not searched. Once I set that value to 30d, all files came out. So far it is working as expected.

However, after I set it back to 10d, there was no difference and all files including those ones older than 10 days came out as well, is this as expected? I have restarted both the UF and server.

Thanks.

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @dujas,

sorry I didn't understand you question!

let me understand:

  • you configured inputs with ignoreOlder=10d and indexed events,
  • then you configured inputs with ignoreOlder=30d and indexed events,
  • then you configured again inputs with ignoreOlder=10d and indexed events,
  • at the end you have events older than 10d,

is this what you did?

In this way you indexed data older than 10d and passing time you have events older than 10 days, so the indexed events are still in Splunk and you can search them until they go out of the retention period.

If you want to discard events older than 10 days also in indexes, you have to confiure a retention of 10 days for your index using the "FrozenTimePeriodInSecs" option in indexes.conf in the your_index stanza.

For more infos see at https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Indexesconf 

Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @dujas,

olderThan works on the event Timestamp, did you checked the timestamp of the events?

What's the retention of your index?

Ciao.

Giuseppe

0 Karma

dujas
Explorer

Hi Giuseppe,

Thanks for the reply.

The log files older than 10 days were not updated since then, the modification time is not changed at all.

Best Regards,

Jason Du

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @dujas,

sorry I didn't understand you question!

let me understand:

  • you configured inputs with ignoreOlder=10d and indexed events,
  • then you configured inputs with ignoreOlder=30d and indexed events,
  • then you configured again inputs with ignoreOlder=10d and indexed events,
  • at the end you have events older than 10d,

is this what you did?

In this way you indexed data older than 10d and passing time you have events older than 10 days, so the indexed events are still in Splunk and you can search them until they go out of the retention period.

If you want to discard events older than 10 days also in indexes, you have to confiure a retention of 10 days for your index using the "FrozenTimePeriodInSecs" option in indexes.conf in the your_index stanza.

For more infos see at https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Indexesconf 

Ciao.

Giuseppe

0 Karma

dujas
Explorer

Thanks Giuseppe, this explanation helps me out.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @dujas,

good for you, see next time!

If my answer solves your need, please accept it for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...