<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Indexes + data retirement + Earliest Event in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Indexes-data-retirement-Earliest-Event/m-p/25680#M88653</link>
    <description>&lt;P&gt;Excellent question.&lt;/P&gt;

&lt;P&gt;This is because of the process for updating the metadata when a bucket is retired. It's relatively easy to decrement the counts for sources, sourcetypes and hosts when a bucket goes away. However, it's not efficient to update the earliest and latest timestamps, which are used for this display.&lt;/P&gt;

&lt;P&gt;You have a couple of choices to fix this. You can either get at the data a different way, by means of the &lt;CODE&gt;dbinspect&lt;/CODE&gt; command, or you could update the global &lt;CODE&gt;{Hosts,Sources,SourceTypes}.data&lt;/CODE&gt;.&lt;/P&gt;

&lt;P&gt;To retrieve the accurate time bounds with &lt;CODE&gt;dbinspect&lt;/CODE&gt;, run the search:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;| dbinspect index=&amp;lt;index_name&amp;gt; | convert timeformat="%m/%d/%Y:%T" mktime(earliestTime) mktime(latestTime) | stats min(earliestTime) as earliestTime max(latestTime) as latestTime | convert ctime(earliestTime) ctime(latestTime)
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;To update the metadata itself, you can create a &lt;CODE&gt;meta.dirty&lt;/CODE&gt; file to cause the metadata to be regenerated:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;touch $SPLUNK_HOME/var/lib/splunk/&amp;lt;index_name&amp;gt;/db/meta.dirty
&lt;/CODE&gt;&lt;/PRE&gt;</description>
    <pubDate>Sun, 15 Aug 2010 02:28:33 GMT</pubDate>
    <dc:creator>Stephen_Sorkin</dc:creator>
    <dc:date>2010-08-15T02:28:33Z</dc:date>
    <item>
      <title>Indexes + data retirement + Earliest Event</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Indexes-data-retirement-Earliest-Event/m-p/25679#M88652</link>
      <description>&lt;P&gt;So looking at the Indexes page in Manager, I can tell that one of my indexes has hit the size limit and is successfully retiring/deleting data as necessary to stay under the size limit I set for it.  However, the 'Earliest Event' timestamp listed is for the earliest that has ever been in the index, not what is actually in the index currently.&lt;/P&gt;

&lt;P&gt;Any (easy) way to have this always show the actual 'Earliest Event' based on what is actually in the index at that time?&lt;/P&gt;

&lt;P&gt;Thanks,&lt;/P&gt;

&lt;P&gt;Scott&lt;/P&gt;</description>
      <pubDate>Thu, 05 Aug 2010 18:47:16 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Indexes-data-retirement-Earliest-Event/m-p/25679#M88652</guid>
      <dc:creator>skippylou</dc:creator>
      <dc:date>2010-08-05T18:47:16Z</dc:date>
    </item>
    <item>
      <title>Re: Indexes + data retirement + Earliest Event</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Indexes-data-retirement-Earliest-Event/m-p/25680#M88653</link>
      <description>&lt;P&gt;Excellent question.&lt;/P&gt;

&lt;P&gt;This is because of the process for updating the metadata when a bucket is retired. It's relatively easy to decrement the counts for sources, sourcetypes and hosts when a bucket goes away. However, it's not efficient to update the earliest and latest timestamps, which are used for this display.&lt;/P&gt;

&lt;P&gt;You have a couple of choices to fix this. You can either get at the data a different way, by means of the &lt;CODE&gt;dbinspect&lt;/CODE&gt; command, or you could update the global &lt;CODE&gt;{Hosts,Sources,SourceTypes}.data&lt;/CODE&gt;.&lt;/P&gt;

&lt;P&gt;To retrieve the accurate time bounds with &lt;CODE&gt;dbinspect&lt;/CODE&gt;, run the search:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;| dbinspect index=&amp;lt;index_name&amp;gt; | convert timeformat="%m/%d/%Y:%T" mktime(earliestTime) mktime(latestTime) | stats min(earliestTime) as earliestTime max(latestTime) as latestTime | convert ctime(earliestTime) ctime(latestTime)
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;To update the metadata itself, you can create a &lt;CODE&gt;meta.dirty&lt;/CODE&gt; file to cause the metadata to be regenerated:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;touch $SPLUNK_HOME/var/lib/splunk/&amp;lt;index_name&amp;gt;/db/meta.dirty
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Sun, 15 Aug 2010 02:28:33 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Indexes-data-retirement-Earliest-Event/m-p/25680#M88653</guid>
      <dc:creator>Stephen_Sorkin</dc:creator>
      <dc:date>2010-08-15T02:28:33Z</dc:date>
    </item>
  </channel>
</rss>

