A 90day Accelerated Report only shows 10 days of d...

tpaulsen · ‎04-09-2013

Hi, i created a search, to get an overview of the license volume usage in our Splunk system.

index="_internal" source="*metrics.log" per_sourcetype_thruput | eval GBytes=((kb/1024)/1024) | timechart span=1d sum(GBytes) as GBytes by series

The search is being accelerated and should give me data for 90 days. A dashboard that is based on this, only shows 10 days of data. What are we doing wrong? We have a similar sitation with other data and accelerated searches. Data is only viewable for the last 7 - 10 days and than no data.

Thank you, Thomas

tpaulsen · ‎04-10-2013

90 days for the accelerated summary.

jdunlea_splunk · ‎04-09-2013

I think the default retention period for the internal index is 28 days, so without changing that you will not be able to see 90 days of data. I am not sure why you are only seeing 10 days of data - Was this setting lowered by any chance? Do you have access to the CLI? If so, you can run the following command and from the output, check the "frozenTimePeriodInSecs" setting for the [_internal] stanza to see how long you are keeping internal data. (Or you can also check the indexes page in the manager to see what the "earliest event" you have in that index is, to see if there is indeed any data past 10 days ago)

(assuming Splunk is installed in /opt/splunk...)

Command: /opt/splunk/bin/splunk cmd btool indexes list --debug

Also, remember that the report accelerated data will not live longer than the original rawdata, regardless of the report accelerated window setting.

jonuwz · ‎04-09-2013

whats your summary range set to in the saved search ?

A 90day Accelerated Report only shows 10 days of data

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes