search results only for 3 months

Gaya3_devi · ‎08-27-2024

Hi Splunkers,
i have been working on a dashboard for that I need the data for last 7 months from jan 2024 to till date when i was searching for the logs it was only showing for the last 3 months data i.e., from 10, jun to till date and gradually all the logs are disappearing is there any way to fix this...
i tried this query

| tstats earliest(_time) as first, latest(_time) as last where index=foo | fieldformat first=strftime(first,"%c") | fieldformat last=strftime(last,"%c")

the result shows
index="my-index"
first last

Mon Jun 10 04:19:23 2024 Tue Aug 27 07:50:04 2024

PickleRick · ‎08-27-2024

It's natural that old data is getting rolled out of your index when you're either reaching retention limits or your index (or whole volume) hits size limits. So check your index and volume parameters and your index size usage.

Gaya3_devi · ‎08-27-2024

how to check index and volume parameters and index size

PickleRick · ‎08-28-2024

Depends on your environment. If you have an all-in-one installation, the easiest method would be to go to settings->indexes

search results only for 3 months

data

indexer

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?