If you're curious, have a look at this post that covers some of the details about deleting indexed data. I suggest implementing the setting ignoreOlderThan, and scoping your searches to the last business week. But you're only paying for it in storage space as the license cost of indexing the data has already been incurred. There's also no easy way to remove the IIS data that's already indexed. There's no requirement to place IIS logs into a separate index. If you want shorter retention for IIS logs than other logs, write them to a different index. That setting is for a different use-case. Setting MAX_DAYS_AGO in nf sets a limitation on valid dates extracted from events. Once the container comes up, open up a browser and go to Enter the username of admin and password of changeme and you will be presented with the first Splunk screen. Both are set in the nf of the Splunk instance responsible for watching the logs. Īs Windows isn't consistent about updating file modtime, you may need to use the setting alwaysOpenFile in addition to ignoreOlderThan if the latest IIS logs stop getting sent. It must be set in the nf under the stanza you're using to monitor the IIS logs. The easiest way to limit an input monitor "to the last X days" is to set ignoreOlderThan. Do we need to create separate index for IIS or do you suggest something else? The events from the other sourcetypes from the MSExchange APP are fine to be indexed, only the IIS is the problem one, because it is reaching our license limit. We already tried by using MAX_DAYS_AGO = 5 in nf file - this was set in both Universal Forwarder and on the Web Splunk server(indexer), how ever it didn't worked:ĬProgram FilesSplunketcappssplunk_app_microsoft_nfįor some reason it indexed the events from the last 5 days(2014), but it also indexed events from 2012, don't know why it decide to take events from this particular year.Ĭould you please help us on this? What we need is to index data from the last 5 days -, all data older than the current 5 days needs to be deleted(frozen/nullQueued). We have logs(C:\inetpub\logs\LogFiles\W3SVC1) from 2010 which we don't need, what we only want is to indexed events from the last 5 days. What we are trying to do is to filter(or not index) older events from the MSExchange APP - TA-Windows-2008R2-Exchange-IIS. Splunk Enterprise 6.2 installed – Windows Server 2008 R2 Universal Forwarder installed – EXCH – Windows Server 2008 R2
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |