Reporting

We can't see events older than a day in Splunk

gba8912
Explorer

hello,

 

We recently set up Splunk on our system so we are still learning. We have an issue where we are not getting older events in searches. For example: Event id 4625 (failed logon), we can see the event on the same day it happens but the next day, it will not show up. 

A few things I have tried:

1. removed the ignore older that 2d line in the inputs.conf file.

2. checked to make sure we are not over on bucket size.

Any suggestions on configuring this correctly? I can post config info if requested.

Thanks

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The settings in inputs.conf have no effect on the ability to search already-indexed data.  It only controls what Splunk reads in.

What is the exact search are you trying?  Have you selected a time window larger than 24 hours?

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

The settings in inputs.conf have no effect on the ability to search already-indexed data.  It only controls what Splunk reads in.

What is the exact search are you trying?  Have you selected a time window larger than 24 hours?

---
If this reply helps you, Karma would be appreciated.

gba8912
Explorer

thats what i was missing, thanks. guess its one of those days where i forget basic stuff...lol

 

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...