Solved: can't see all the event of an index anymore

splunkLPN · ‎05-09-2018

If I search | eventcount summarize=false index=index3 the answer is count : 32339388
If I search index=index3 182154 event events are count with empty days 42 days before the last days.

I've made 2 changes before to have this behavior :

upgrade to 7.1
go from a free license to a dev licence on my lab machine.

of course i'm on "all-time" period (or hope to be, because it's look like I'm not)

thank's for your help 🙂

splunkLPN · ‎05-09-2018

OK I've found the limit : "Search auto-finalized after disk usage limit (0MB) reached. "

View solution in original post

splunkLPN · ‎05-09-2018

OK I've found the limit : "Search auto-finalized after disk usage limit (0MB) reached. "

p_gurav · ‎05-09-2018

Did you run both the query for all time?

splunkLPN · ‎05-09-2018

Thank's. Yes. I did it with the web interface. Is there a SPL command to include all time period ?

skoelpin · ‎05-09-2018

You could use earliest=-100y latest=now

https://docs.splunk.com/Documentation/Splunk/7.1.0/SearchReference/SearchTimeModifiers

can't see all the event of an index anymore

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)

Are you a member of the Splunk Community?

can't see all the event of an index anymore

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)