Solved: We can't see events older than a day in Splunk

gba8912 · ‎11-30-2020

hello,

We recently set up Splunk on our system so we are still learning. We have an issue where we are not getting older events in searches. For example: Event id 4625 (failed logon), we can see the event on the same day it happens but the next day, it will not show up.

A few things I have tried:

1. removed the ignore older that 2d line in the inputs.conf file.

2. checked to make sure we are not over on bucket size.

Any suggestions on configuring this correctly? I can post config info if requested.

Thanks

richgalloway · ‎11-30-2020

The settings in inputs.conf have no effect on the ability to search already-indexed data. It only controls what Splunk reads in.

What is the exact search are you trying? Have you selected a time window larger than 24 hours?

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎11-30-2020

The settings in inputs.conf have no effect on the ability to search already-indexed data. It only controls what Splunk reads in.

What is the exact search are you trying? Have you selected a time window larger than 24 hours?

---
If this reply helps you, Karma would be appreciated.

gba8912 · ‎11-30-2020

thats what i was missing, thanks. guess its one of those days where i forget basic stuff...lol

We can't see events older than a day in Splunk

other

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!