Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to verify if ignoreOlderThan is working or not ?

ram254481493
Explorer
‎11-11-2019 07:32 AM

Hi I have implemented ignoreOlderThan for 7 days , I want to verify it if its working or not ? Is their any query or any place in DMC where i can validate that its working ?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎11-11-2019 07:39 AM

you can look for event timestamps:

if you are getting events older than 7 days so it's not working.

you could check 

... | timechart span=1d count

If you have events older than 7 days before making this configuration then check for the count if it's increasing or it's constant.
that way you could determine if ignoreOlderThan is working or not.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎11-11-2019 07:39 AM

you can look for event timestamps:

if you are getting events older than 7 days so it's not working.

you could check 

... | timechart span=1d count

If you have events older than 7 days before making this configuration then check for the count if it's increasing or it's constant.
that way you could determine if ignoreOlderThan is working or not.

0 Karma
Reply
Solved! Jump to solution

ram254481493
Explorer
‎11-11-2019 08:02 AM

thanks after making the change i will validate.

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎11-11-2019 08:45 AM

sure, let me know.

0 Karma
Reply
Solved! Jump to solution

ram254481493
Explorer
‎11-14-2019 07:04 AM

@mayurr98 hi i amde the change yesterday for ignore older than 14 days after implementing it i can see the data over 30 days coming and didnt see any effect of it my settings are below:
[WinEventLog://System]
disabled = false
start_from = oldest
current_only = 1
checkpointInterval = 5
index = wineventlog
renderXml=false
ignoreOlderThan = 14d

after adding these settings i run this query for 30 days |tstats count WHERE index=wineventlog by _time span=1d and i can see the data of 30 days not sure why its not working ?

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎11-14-2019 07:11 AM

Did you change these settings or it's a new input that you wrote?

was this input already there and then you added ignoreOlderThan ?

0 Karma
Reply
Solved! Jump to solution

ram254481493
Explorer
‎11-14-2019 07:13 AM

@mayur98 yes this input is already there and i just added ignoreolderthan and change the current_only = 0 to 1

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎11-14-2019 07:20 AM

Yeah, so the already indexed data won't get affected. this attribute only affects from the time you make the change.

0 Karma
Reply
Solved! Jump to solution

ram254481493
Explorer
‎11-14-2019 07:23 AM

ok got it , but is their any way that we can verify it that its working properly ?

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎11-14-2019 07:27 AM

yeah. so whatever is ingested will remain constant after this change. So for example, if x number events are already indexed then it won't increase. It will remain the same. you need to look at those numbers and see if they are changing or not.

0 Karma
Reply
Solved! Jump to solution

ram254481493
Explorer
‎11-14-2019 07:40 AM

sure thanks mayur i can see the change

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...