All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Run-away indexing with Splunk add-on for AWS, how to enforce a Log Start Date

Glasses
Builder
‎07-02-2019 06:35 PM

Hi,
I was moving about 20 aws data inputs (s3 sources) from an EOL server to an aws ec2.
The ec2 was a clone and had the Splunk_TA_aws app on it.
When I started up the new ec2, I disabled the TA.
I configured the Log Start Date directly in the inputs.conf for all the data inputs (and restarted).
Then I enabled the TA and disabled each of the inputs with the WebUI.
I went 1 by 1 disabling the input on the old host and enabling the input on the new host.
Everything looked good but now my indexing is blowing up.
I set the Log Start Date to 7/1/2019 but it seems the new ec2 host is fetching data before that date, like its not obeying the configs.

Any help is appreciated, thank you.

Reply

Glasses
Builder
‎07-22-2019 09:38 AM

Because I upgraded the AWS app, it did not retain my start date/time settings. I created new ones and it worked.

Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...