Archive
Highlighted

Can't find my last 6 month data

New Member

HI everyone,
I usually run report month by month from Januari untill now (and i still have the report), and now i want to get my March dan May data to review it but the no data at all. I tried run search from Januari too and no data, but i can get my June data.
Is there any limitation from splunk to get past data?
FYI, i don't run any archieving.

Tags (1)
0 Karma
Highlighted

Re: Can't find my last 6 month data

SplunkTrust
SplunkTrust

Start in the monitoring console, in particular the indexes view , this should advise if your indexes are full and if the data has therefore been deleted due to the size limits been reached in the indexes.conf file.

Splunk has no limitations in getting data from a few months or years ago...

0 Karma
Highlighted

Re: Can't find my last 6 month data

New Member

where i can get/see in indexes view? If splunk has no limitations in getting data from a few months/years ago,how can i get my previous data back?

0 Karma
Highlighted

Re: Can't find my last 6 month data

SplunkTrust
SplunkTrust

If you refer to my link I have linked to the monitoring console documentation and a mention of the indexes page. Also refer to the overview .

0 Karma
Highlighted

Re: Can't find my last 6 month data

New Member

Ok, i have found monitoring console.Now what can i do to obtain my previous 6 months data?

0 Karma
Highlighted

Re: Can't find my last 6 month data

SplunkTrust
SplunkTrust

Well what does the monitoring console page say ? If it confirms that it has 6 month old data in the index then it is still there.

If it has been removed / the index is out of space then the data has likely been frozen/deleted and you would need to restore from backup and go through a restoration of data...

0 Karma
Highlighted

Re: Can't find my last 6 month data

New Member

In Index Details:Instance, The Data Age vs Frozen Age (days) is: 2184, so i will have my data about past 5.9 years isn't it?

0 Karma
Highlighted

Re: Can't find my last 6 month data

New Member

Addition Information: Earliest event : 2015-01-19 14:10:16+0700 ; so i think if i search the event from 1 April 2017 to 30 April 2017 i should have the data right?

0 Karma
Highlighted

Re: Can't find my last 6 month data

SplunkTrust
SplunkTrust

Assuming your latest event exists in that time range, yes.

The data will exist for 5.9 years if you do not reach the index size limits, reaching the index size limits will also result in the data freezing...

0 Karma