Hi Team,
If the file is too old for eg: file is created in 2022 and further no updates in the file, so in this case will events be visible for that source file to the index?
This will be first time ingestion to the Splunk for the source file. If can be read then what additional parameters should be applied.
thanks for the response.
where i can find this 2000days old settings, can this days can be changed?
With 2000days, will it able to read all lines in logs or will be any limitation to the line number.
Yes, the 2000 days setting can be changed, as described in my first reply.
There is no limit to the number of lines Splunk will read from a file. By default, however, any single event is limited to 256 lines (not usually a problem).
Thanks for reply
as you mentioned it can read upto 2000days old, apart from adding in props but where this settings is set or this is not editable to change at all.
so with 256 lines what will be limitation to characters then.
The MAX_DAYS_OLD setting is in props.conf. There may be several of those files so the one to change depends on which one has the sourcetype in question. As always, never edit a file in a default directory - copy the stanza name and attribute to the local directory and make the change there.
The default character limit for a single event is 10000.
could you send the document link where it is documented that last 2000days can be read for first time ingestion so it will be great to send to the App monitoring team
Splunk will ingest events up to 2000 days old without any configuration changes. For anything older than that, you must change MAX_DAYS_AGO in props.conf.
To search old data, simply set the time window to some appropriate range.