- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- what can be done to keep the past in the past?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what can be done to keep the past in the past?
Hello,
For the past couple of weeks, we’ve seen events from the past being recently indexed. I assume that these few of the boxes were just powered up, and because of the forwarding infrastructure, that these are “current” events?
what can be done to keep the past in the past?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @raomu,
You can keep the configuration DATETIME_CONFIG = blank in props.conf instead of setting it to CURRENT or NONE that will consider the timestamp of the event.
For your reference https://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/Propsconf
Thanks. Let me know if that helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, If you have used crcSalt = <SOURCE> from your inputs.conf then you should remove that if you your files get rotated after a certain time duration. Setting crcSalt in such case will cause re-indexing of your data.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your reply, but here the issue is not related to re-indexing.
My bad, may be I should have put more information.
Example :
we have some server X , Y
and these 2 servers have log files with year old data.
I installed the fwd and start getting logs from these 2 machines. Now the issue is the logs which is already associated with old or last year time stamps when indexed In spunk will take current time.
example :
event 03/06/017 xyzzy .......... login attempt.
during the index time it will take the current time not the actual event time.
So do we have any way of these types of events already indexed we can setup the indexed time same as event time ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, do you have a single source from where data is coming or multiple sources?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
single source.
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
