Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can't search previous data

smickey
New Member
‎08-08-2010 02:56 PM

My index indicates i have over 8 million entries but any search i run ends at midnight and will not search any data before the day that i initiate the search.

I have the time set to "all time" and i'm executing queries that worked properly before. I can verify it's receiving data and the index is getting bigger, it doesn't seem that it's purging any data i just can't search anything past midnight. It's not a rolling 24 hours but a hard cutoff at 12.

Any idea where i can start looking? i've looked at the indexes but nothing there would indicate a time limit and no where else in manager can i find a setting or restriction that would limit me from viewing the data. I can't find anything in the free documentation that indicates the free version only lets you view that day's data. I'm at a loss as to where to look next.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rotten
Communicator
‎08-09-2010 02:23 PM

Are you looking in the 'Global Summary' box when you first connect to the Search App? I think that reports the total number of events ever processed by your Splunk instance - rather than the current number of events actually archived in your index.

What is your "frozenTimePeriodInSecs" set to for the index you are trying to search? (ie, your retention policy) Perhaps you are rolling data out of the database...

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rotten
Communicator
‎08-09-2010 02:23 PM

Are you looking in the 'Global Summary' box when you first connect to the Search App? I think that reports the total number of events ever processed by your Splunk instance - rather than the current number of events actually archived in your index.

What is your "frozenTimePeriodInSecs" set to for the index you are trying to search? (ie, your retention policy) Perhaps you are rolling data out of the database...

0 Karma
Reply
Solved! Jump to solution

smickey
New Member
‎08-19-2010 01:14 AM

This isn't exactly what was wrong, i had moved my indexes after filling up a drive and the folders were created as root so it never rolled any data between the hot/warm/cold buckets so ended up just losing the data after about 24 hours which is what i'm assuming is the default for rolling over the first bucket

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...