Hi All,
I set ignoreOlderThan = 10d and it worked as expected, the files older than 10 days were not searched. Once I set that value to 30d, all files came out. So far it is working as expected.
However, after I set it back to 10d, there was no difference and all files including those ones older than 10 days came out as well, is this as expected? I have restarted both the UF and server.
Thanks.
Hi @dujas,
sorry I didn't understand you question!
let me understand:
is this what you did?
In this way you indexed data older than 10d and passing time you have events older than 10 days, so the indexed events are still in Splunk and you can search them until they go out of the retention period.
If you want to discard events older than 10 days also in indexes, you have to confiure a retention of 10 days for your index using the "FrozenTimePeriodInSecs" option in indexes.conf in the your_index stanza.
For more infos see at https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Indexesconf
Ciao.
Giuseppe
Hi @dujas,
olderThan works on the event Timestamp, did you checked the timestamp of the events?
What's the retention of your index?
Ciao.
Giuseppe
Hi Giuseppe,
Thanks for the reply.
The log files older than 10 days were not updated since then, the modification time is not changed at all.
Best Regards,
Jason Du
Hi @dujas,
sorry I didn't understand you question!
let me understand:
is this what you did?
In this way you indexed data older than 10d and passing time you have events older than 10 days, so the indexed events are still in Splunk and you can search them until they go out of the retention period.
If you want to discard events older than 10 days also in indexes, you have to confiure a retention of 10 days for your index using the "FrozenTimePeriodInSecs" option in indexes.conf in the your_index stanza.
For more infos see at https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Indexesconf
Ciao.
Giuseppe
Thanks Giuseppe, this explanation helps me out.
Hi @dujas,
good for you, see next time!
If my answer solves your need, please accept it for the other people of Community.
Ciao and happy splunking.
Giuseppe
P.S.: Karma Points are appreciated 😉