I usually run report month by month from Januari untill now (and i still have the report), and now i want to get my March dan May data to review it but the no data at all. I tried run search from Januari too and no data, but i can get my June data.
Is there any limitation from splunk to get past data?
FYI, i don't run any archieving.
Start in the monitoring console, in particular the indexes view , this should advise if your indexes are full and if the data has therefore been deleted due to the size limits been reached in the indexes.conf file.
Splunk has no limitations in getting data from a few months or years ago...
Well what does the monitoring console page say ? If it confirms that it has 6 month old data in the index then it is still there.
If it has been removed / the index is out of space then the data has likely been frozen/deleted and you would need to restore from backup and go through a restoration of data...
Addition Information: Earliest event : 2015-01-19 14:10:16+0700 ; so i think if i search the event from 1 April 2017 to 30 April 2017 i should have the data right?
Assuming your latest event exists in that time range, yes.
The data will exist for 5.9 years if you do not reach the index size limits, reaching the index size limits will also result in the data freezing...