Getting Data In

search results only for 3 months

splunkuseradmin
Path Finder

I have data indexinng from January and have a query trying to run for last 6 months or more than 6 months, but search results events only till march(last 3 months). how to increase search events limit ?
I dont want to force query using "earliest=-6mon@mon" "latest=@mon", instead is there any other way ? as i need to save that as a report and use loadjob using timepicker in a dashboard. so cannot use earliest and latest in search itself.

0 Karma

woodcock
Esteemed Legend

If you are using Accelerated Data Models, then you extend the backfill to farther back.
If you are an admin, you can extend your index retention in indexes.conf
If you are an admin, you may be able to create a summary index and save a copy/summary of your events there.
See docs.splunk.com for details.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you can only search back 3 months even when specifying earliest=-6mon then you probably only have 3 months of data in that index. There's nothing you can do in a search to locate data that's not there. Run this query to see how far back you can go with your query.

| tstats earliest(_time) as first, latest(_time) as last where index=foo | fieldformat first=strftime(first,"%c") | fieldformat last=strftime(last,"%c")
---
If this reply helps you, Karma would be appreciated.
0 Karma

splunkuseradmin
Path Finder

I know the data is bieng indexing since January 22nd, when you search with time range to only January or any specific month i can see data but when i search for last 6 months I get only past 3 months. i belive some thing is stopping search to go more back before march 27th.. i only get data from march 27th.
is there any limitations on userid's (my role :power user).

below is the output fro index="myindex"
first last
Sun Jan 6 08:23:35 2019 Thu Jul 4 12:26:39 2019

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...