OK,
So I have been at this all day and I cannot see a solution. Part of my frustration is that the documentation says one thing, the wiki says another. e.g. use "quotes" no don't use quotes.
My user wants all messages for the last 60 days for a single host, sent to him in a syslog format so he can forward to the vendor.
From the GUI I can get results but it is greater than 10,000 lines so exporting it is heck! ( sorry folks but those links posted here on how to increment a export suck.)
From the command line I don't get any errors but splunk will not under any circumstances report over 60 days. Doesn't matter if I used starttime="m/d/y:h:m:s or if I use daysago=60 etc. The search will not go back far enough.
Can anyone tell me how to get ./splunk search host="foo" daysago=60 > myfoofile.txt to work?
... View more