I have just set up a dashboard with some data from .csv files.
It was working until I made the local host available via link and it seems like all my data got deleted.
I can still see the CSV files in the Dataset and their corresponding lookups.
When I index the data, it says no results found.
Is there any way to get the data back without adding it again?
I am using the free version so I don't want to use all of my 500 MB.
If it no longer shows with an All time
search then somebody deleted it. If splunk
did, then you should find evidence of it with this search:
index=_* bucketmover
What kind of information would I be looking for in the results?
The bucketmover
process moves the buckets from hot
-> warm
(no problem there) and from warm
-> cold
(which in your case probably means deleted
).
Run this index=*
in search bar and select All time
in time range picker.
I've tried that and it still says no results... I re-added the data again and everything was working fine.... A few days later it happened again
well, that maybe because of the retention period. did you check what is the retention period for that index?
I didn't change/modify the retention period. Where would I find that information?
I should also mention the data is from 9 years ago.. Is the index retention period from the timestamp on the data or when it is uploaded to splunk?