Splunk Search

Can't search previous data

New Member

My index indicates i have over 8 million entries but any search i run ends at midnight and will not search any data before the day that i initiate the search.

I have the time set to "all time" and i'm executing queries that worked properly before. I can verify it's receiving data and the index is getting bigger, it doesn't seem that it's purging any data i just can't search anything past midnight. It's not a rolling 24 hours but a hard cutoff at 12.

Any idea where i can start looking? i've looked at the indexes but nothing there would indicate a time limit and no where else in manager can i find a setting or restriction that would limit me from viewing the data. I can't find anything in the free documentation that indicates the free version only lets you view that day's data. I'm at a loss as to where to look next.

Tags (1)
0 Karma
1 Solution

Communicator

Are you looking in the 'Global Summary' box when you first connect to the Search App? I think that reports the total number of events ever processed by your Splunk instance - rather than the current number of events actually archived in your index.

What is your "frozenTimePeriodInSecs" set to for the index you are trying to search? (ie, your retention policy) Perhaps you are rolling data out of the database...

View solution in original post

0 Karma

Communicator

Are you looking in the 'Global Summary' box when you first connect to the Search App? I think that reports the total number of events ever processed by your Splunk instance - rather than the current number of events actually archived in your index.

What is your "frozenTimePeriodInSecs" set to for the index you are trying to search? (ie, your retention policy) Perhaps you are rolling data out of the database...

View solution in original post

0 Karma

New Member

This isn't exactly what was wrong, i had moved my indexes after filling up a drive and the folders were created as root so it never rolled any data between the hot/warm/cold buckets so ended up just losing the data after about 24 hours which is what i'm assuming is the default for rolling over the first bucket

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!