Re: Older data

rahul2gupta · ‎06-30-2021

Hi ,

Query:

index=main sourcetype="activedirectory"

I performed a search which showed only last 14 days of data. Is there a way to get older data than 14 days. User wants to get data of last 1 year.

Regards,

Rahul

gcusello · ‎06-30-2021

Hi @rahul2gupta,

I think that you used one year as search period in the time picker.

So if you have only 14 days, maybe this is the retention of your main index, check it!

In this case, you cannot have more data now, you can change the retention time in $SPLUNK_HOME/system/local/indexes.conf and in the next months you'll have a longer period.

Obviously, in this case calculate the storage requirents with a Capacity Plan.

Ciao.

Giuseppe

rahul2gupta · ‎07-03-2021

Hi @gcusello ,

I checked the retention period of index=main and found out that it is 6 months. Can you please help me to understand why we are getting only last 14 days data.

Regards,

Rahul Gupta

gcusello · ‎07-03-2021

Hi @rahul2gupta,

please check the dimension of the main index using the Monitoring Console.

I saw that you have a max dimension of 50 Gb for main index, maybe this is the problem, even if I don't think.

Then try a different search to understan if you really have data older than 14 days (using always as time period):

| metasearch index=main
| timechart count BY sourcetype

then try

| metasearch index=* sourcetype=activedirectory
| timechart count BY index

Ciao.

Giuseppe

Older data

Linux

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation