topic Missing events in Getting Data In

Missing events

fuster_j — Fri, 01 Jun 2012 21:43:37 GMT

I know data was there becasue I've created a report 2 weeks ago. Now same search for same time frame is getting a zero return. How can I debug this issue?

Re: Missing events

sideview — Fri, 01 Jun 2012 22:40:42 GMT

Can you post the exact search syntax you're using? Is it possible that your index retention policy is set such that the old data simply got purged out of the index?

Re: Missing events

fuster_j — Fri, 08 Jun 2012 03:14:32 GMT

index=ad_authentiation EventCode=624 | rex field=_raw "User=(?<AD_Admin>.+)" | rex field=_raw "ComputerName=(?<AD_System>.+)"|rex field=_raw "New\sAccount\sName:\s(?<AD_NewUser>.+)" |rex field=_raw "New\sDomain:\s(?<AD_Domain>.+)" | rex field=_raw "Primary\sGroup\sID:\s(?<AD_GID>.+)" | rex field=_raw "Display\sName:\s(?<AD_DisplayName>.+)" |rex field=_raw "Account\sExpires:\s\<(?<AcctExpires>.+)\>" |rex field=_raw "'Password\sNot\sRequired\'\s\-(?<PasswdNOTRequired>.+)" |convert ctime(_time) as timestamp | table timestamp,AD_NewUser,AD_Domain,AD_GID,AD_DisplayName,AD_System,AD_Admin,AcctExpires,PasswdNOTRequired

Re: Missing events

Ayn — Fri, 08 Jun 2012 04:56:56 GMT

Is that index name you're using a typo? ad_authentiation seems to be a word that's missing a c...

Re: Missing events

fuster_j — Mon, 11 Jun 2012 19:15:57 GMT

Found my issue... There is a indexes.conf in system/local/indexes.conf over writing my setting in apps//local/indexes.conf. Forgot the the precedence order.