TIPS & TRICKS

Working with old data

This has tripped up a few people (including myself) in the last couple of weeks, so I figured it would be worth pointing out. If you are working with old data (>5 years), you need to let Splunk know. The default value of MAX_DAYS_AGO (props.conf) is 2000 days, which works out to little over 5 years. If you use the preview feature of Splunk, you can see the issue right away.

Screen Shot 2014-01-02 at 5.05.53 PM

But of course, thinking I was an Über Splunker, I bypassed the preview and spent the next 20 minutes trying to figure out what I did wrong. So let that be a lesson, use the data preview feature!

----------------------------------------------------
Thanks!
Karandeep Bains

----------------------------------------------------
Thanks!
Karandeep Bains

Splunk
Posted by

Splunk

Join the Discussion