Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can't find my last 6 month data

gijoesplunk
New Member
‎10-04-2017 09:41 PM

HI everyone,
I usually run report month by month from Januari untill now (and i still have the report), and now i want to get my March dan May data to review it but the no data at all. I tried run search from Januari too and no data, but i can get my June data.
Is there any limitation from splunk to get past data?
FYI, i don't run any archieving.

Tags (1)
0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎10-05-2017 05:05 AM

Start in the monitoring console, in particular the indexes view , this should advise if your indexes are full and if the data has therefore been deleted due to the size limits been reached in the indexes.conf file.

Splunk has no limitations in getting data from a few months or years ago...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

gijoesplunk
New Member
‎10-05-2017 07:00 PM

where i can get/see in indexes view? If splunk has no limitations in getting data from a few months/years ago,how can i get my previous data back?

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎10-05-2017 07:11 PM

If you refer to my link I have linked to the monitoring console documentation and a mention of the indexes page. Also refer to the overview .

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

gijoesplunk
New Member
‎10-06-2017 12:14 AM

Ok, i have found monitoring console.Now what can i do to obtain my previous 6 months data?

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎10-06-2017 06:22 AM

Well what does the monitoring console page say ? If it confirms that it has 6 month old data in the index then it is still there.

If it has been removed / the index is out of space then the data has likely been frozen/deleted and you would need to restore from backup and go through a restoration of data...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

gijoesplunk
New Member
‎10-17-2017 01:51 AM

In Index Details:Instance, The Data Age vs Frozen Age (days) is: 2184, so i will have my data about past 5.9 years isn't it?

0 Karma
Reply

gijoesplunk
New Member
‎10-17-2017 02:00 AM

Addition Information: Earliest event : 2015-01-19 14:10:16+0700 ; so i think if i search the event from 1 April 2017 to 30 April 2017 i should have the data right?

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎10-17-2017 04:16 AM

Assuming your latest event exists in that time range, yes.

The data will exist for 5.9 years if you do not reach the index size limits, reaching the index size limits will also result in the data freezing...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...