topic Re: Why cant I see some data that I was able to see before 1 month? Even if retention policy of index is 3 years in Splunk Search https://community.splunk.com/t5/Splunk-Search/Why-cant-I-see-some-data-that-I-was-able-to-see-before-1-month/m-p/489463#M136716 <P>@manjunathmeti The above query is not running, and also data data cant be deleted because retention is 3 years and time stamp of data was in january 2020 only</P> Mon, 09 Mar 2020 07:04:02 GMT muizash 2020-03-09T07:04:02Z Why cant I see some data that I was able to see before 1 month? Even if retention policy of index is 3 years https://community.splunk.com/t5/Splunk-Search/Why-cant-I-see-some-data-that-I-was-able-to-see-before-1-month/m-p/489461#M136714 <P>Notes<BR /> - Our retention policy is 3 years for that abc index.<BR /> - When I exported the result of that query before 1 month, I was able to see that particular data<BR /> - Today when I run exact same query, I can see some missing data.<BR /> - To give you the detail, today I am seeing approx 20K less events out of 1L events.<BR /> - The date range is exact same</P> Mon, 09 Mar 2020 05:51:05 GMT https://community.splunk.com/t5/Splunk-Search/Why-cant-I-see-some-data-that-I-was-able-to-see-before-1-month/m-p/489461#M136714 muez 2020-03-09T05:51:05Z Re: Why cant I see some data that I was able to see before 1 month? Even if retention policy of index is 3 years https://community.splunk.com/t5/Splunk-Search/Why-cant-I-see-some-data-that-I-was-able-to-see-before-1-month/m-p/489462#M136715 <P>Check if data is deleted because of retention or max size in last 1 month.</P> <PRE><CODE>index=_internal sourcetype=splunkd INDEX_NAME component=BucketMover frozenTimePeriodInSecs OR maxTotalDataSizeMB </CODE></PRE> Mon, 09 Mar 2020 06:58:55 GMT https://community.splunk.com/t5/Splunk-Search/Why-cant-I-see-some-data-that-I-was-able-to-see-before-1-month/m-p/489462#M136715 manjunathmeti 2020-03-09T06:58:55Z Re: Why cant I see some data that I was able to see before 1 month? Even if retention policy of index is 3 years https://community.splunk.com/t5/Splunk-Search/Why-cant-I-see-some-data-that-I-was-able-to-see-before-1-month/m-p/489463#M136716 <P>@manjunathmeti The above query is not running, and also data data cant be deleted because retention is 3 years and time stamp of data was in january 2020 only</P> Mon, 09 Mar 2020 07:04:02 GMT https://community.splunk.com/t5/Splunk-Search/Why-cant-I-see-some-data-that-I-was-able-to-see-before-1-month/m-p/489463#M136716 muizash 2020-03-09T07:04:02Z Re: Why cant I see some data that I was able to see before 1 month? Even if retention policy of index is 3 years https://community.splunk.com/t5/Splunk-Search/Why-cant-I-see-some-data-that-I-was-able-to-see-before-1-month/m-p/489464#M136717 <P>On your indexing layer, run the following from the command line: </P> <PRE><CODE>splunk btool indexes list &lt;INDEXNAME&gt; --debug </CODE></PRE> <P>Replacing with the name of the index that you are seeing issues with. There are a few properties to take note of: </P> <P>1) coldPath.maxDataSizeMB -- The total size in MB of the Cold path for data. If this size is exceeded, data will roll to frozen (and if there is no Cold-To-Frozen archiving strategy in place, will be deleted)<BR /> 2) frozenTimePeriodInSecs -- The number of seconds before data is frozen<BR /> 3) maxTotalDataSizeMB -- The maximum total size across all hot/warm/cold data locations</P> <P>See if any of these are lower than you expect. </P> Mon, 09 Mar 2020 14:59:01 GMT https://community.splunk.com/t5/Splunk-Search/Why-cant-I-see-some-data-that-I-was-able-to-see-before-1-month/m-p/489464#M136717 darrenfuller 2020-03-09T14:59:01Z