Getting Data In

Will first time ingestion of old log file be visible for the source file index?

JGP
Explorer

Hi Team,

If the file is too old for eg: file is created in 2022 and further no updates in the file, so in this case will events be visible for that source file to the index? 

This will be first time ingestion to the Splunk for the source file. If can be read then what additional parameters should be applied. 

Labels (1)
0 Karma

JGP
Explorer

thanks for the response. 

where i can find this 2000days old settings, can this days can be changed? 

With 2000days, will it able to read all lines in logs or will be any limitation to the line number.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, the 2000 days setting can be changed, as described in my first reply.

There is no limit to the number of lines Splunk will read from a file.  By default, however, any single event is limited to 256 lines (not usually a problem).

---
If this reply helps you, Karma would be appreciated.
0 Karma

JGP
Explorer

Thanks for reply

as you mentioned it can read upto 2000days old, apart from adding in props but where this settings is set or this is not editable to change at all. 

so with 256 lines what will be limitation to characters then. 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The MAX_DAYS_OLD setting is in props.conf.  There may be several of those files so the one to change depends on which one has the sourcetype in question.  As always, never edit a file in a default directory - copy the stanza name and attribute to the local directory and make the change there.

The default character limit for a single event is 10000.

---
If this reply helps you, Karma would be appreciated.
0 Karma

JGP
Explorer

could you send the document link where it is documented that last 2000days can be read for first time ingestion so it will be great to send to the App monitoring team

0 Karma

richgalloway
SplunkTrust
SplunkTrust
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Splunk will ingest events up to 2000 days old without any configuration changes.  For anything older than that, you must change MAX_DAYS_AGO in props.conf.

To search old data, simply set the time window to some appropriate range.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...