How can I confirm if missing, but previously indexed data has been rolled out or deleted on my behalf 😞 ?
I have older data that is known to be previously indexed that is now MIA. Is there an internal log I can view? Keywords?
Here's the basic search :
index=_internal "Moving db"
Apply the filters you want to make the search more precise and you should be ok.
the splunkd.log should indicate when buckets are rolled.