Older data

rahul2gupta · ‎06-30-2021

Hi ,

Query:

index=main sourcetype="activedirectory"

I performed a search which showed only last 14 days of data. Is there a way to get older data than 14 days. User wants to get data of last 1 year.

Regards,

Rahul

gcusello · ‎06-30-2021

Hi @rahul2gupta,

I think that you used one year as search period in the time picker.

So if you have only 14 days, maybe this is the retention of your main index, check it!

In this case, you cannot have more data now, you can change the retention time in $SPLUNK_HOME/system/local/indexes.conf and in the next months you'll have a longer period.

Obviously, in this case calculate the storage requirents with a Capacity Plan.

Ciao.

Giuseppe

rahul2gupta · ‎07-03-2021

Hi @gcusello ,

I checked the retention period of index=main and found out that it is 6 months. Can you please help me to understand why we are getting only last 14 days data.

Regards,

Rahul Gupta

gcusello · ‎07-03-2021

Hi @rahul2gupta,

please check the dimension of the main index using the Monitoring Console.

I saw that you have a max dimension of 50 Gb for main index, maybe this is the problem, even if I don't think.

Then try a different search to understan if you really have data older than 14 days (using always as time period):

| metasearch index=main
| timechart count BY sourcetype

then try

| metasearch index=* sourcetype=activedirectory
| timechart count BY index

Ciao.

Giuseppe

Older data

Linux

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!