Splunk Search

Can't search previous data

smickey
New Member

My index indicates i have over 8 million entries but any search i run ends at midnight and will not search any data before the day that i initiate the search.

I have the time set to "all time" and i'm executing queries that worked properly before. I can verify it's receiving data and the index is getting bigger, it doesn't seem that it's purging any data i just can't search anything past midnight. It's not a rolling 24 hours but a hard cutoff at 12.

Any idea where i can start looking? i've looked at the indexes but nothing there would indicate a time limit and no where else in manager can i find a setting or restriction that would limit me from viewing the data. I can't find anything in the free documentation that indicates the free version only lets you view that day's data. I'm at a loss as to where to look next.

Tags (1)
0 Karma
1 Solution

rotten
Communicator

Are you looking in the 'Global Summary' box when you first connect to the Search App? I think that reports the total number of events ever processed by your Splunk instance - rather than the current number of events actually archived in your index.

What is your "frozenTimePeriodInSecs" set to for the index you are trying to search? (ie, your retention policy) Perhaps you are rolling data out of the database...

View solution in original post

0 Karma

rotten
Communicator

Are you looking in the 'Global Summary' box when you first connect to the Search App? I think that reports the total number of events ever processed by your Splunk instance - rather than the current number of events actually archived in your index.

What is your "frozenTimePeriodInSecs" set to for the index you are trying to search? (ie, your retention policy) Perhaps you are rolling data out of the database...

0 Karma

smickey
New Member

This isn't exactly what was wrong, i had moved my indexes after filling up a drive and the folders were created as root so it never rolled any data between the hot/warm/cold buckets so ended up just losing the data after about 24 hours which is what i'm assuming is the default for rolling over the first bucket

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...