- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can't search previous data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My index indicates i have over 8 million entries but any search i run ends at midnight and will not search any data before the day that i initiate the search.
I have the time set to "all time" and i'm executing queries that worked properly before. I can verify it's receiving data and the index is getting bigger, it doesn't seem that it's purging any data i just can't search anything past midnight. It's not a rolling 24 hours but a hard cutoff at 12.
Any idea where i can start looking? i've looked at the indexes but nothing there would indicate a time limit and no where else in manager can i find a setting or restriction that would limit me from viewing the data. I can't find anything in the free documentation that indicates the free version only lets you view that day's data. I'm at a loss as to where to look next.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you looking in the 'Global Summary' box when you first connect to the Search App? I think that reports the total number of events ever processed by your Splunk instance - rather than the current number of events actually archived in your index.
What is your "frozenTimePeriodInSecs" set to for the index you are trying to search? (ie, your retention policy) Perhaps you are rolling data out of the database...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you looking in the 'Global Summary' box when you first connect to the Search App? I think that reports the total number of events ever processed by your Splunk instance - rather than the current number of events actually archived in your index.
What is your "frozenTimePeriodInSecs" set to for the index you are trying to search? (ie, your retention policy) Perhaps you are rolling data out of the database...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This isn't exactly what was wrong, i had moved my indexes after filling up a drive and the folders were created as root so it never rolled any data between the hot/warm/cold buckets so ended up just losing the data after about 24 hours which is what i'm assuming is the default for rolling over the first bucket
Archived Metrics Now Available for APAC and EMEA realms
Detecting Remote Code Executions With the Splunk Threat Research Team
Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!
