Clients are saying they are only seeing 2 days worth of the logs.
[name]
homePath = volume:primary/name/db
coldPath = volume:primary/name/colddb
thawedPath = $SPLUNK_DB/name/thaweddb
frozenTimePeriodInSecs = 15780000
maxWarmDBCount = 300
maxHotSpanSecs=7776000
maxHotBuckets = 3
maxTotalDataSizeMB = 75000
repFactor = auto
We don't set anything other then what I show above. So I would think that the remaining values you show are at their default. We don't restrict their search time.
Just noticed you were showing a role. When we create the roles, we just use the default settings.
What is the value of the default user search time window? For example we use this
[role_canloginuser]
srchDiskQuota = 1000
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
get_metadata = enabled
get_typeahead = enabled
input_file = enabled
list_inputs = enabled
output_file = enabled
request_remote_tok = enabled
rest_properties_get = enabled
rest_properties_set = enabled
rtSrchJobsQuota = 0
search = enabled
srchJobsQuota = 1
srchMaxTime = 2h
srchTimeWin = 604800
The value of srchTimeWin is 7 days. You might have 30 to 60 days in hot, but they might be limited to only 2 search days.