Splunk Search

Data in Index Disappears After Restart

sclem
Engager

I'm trying to troubleshoot a situation where recently indexed data was searchable up until Splunk was restarted. My license is valid, and I have no hard overage warnings.

I've even tried this on a test box with a fresh install of Splunk. After the restart the indicator on the right side of the home screen under Data went from 50+ million items to "Waiting for data..."

For full disclosure I am trying to index some historical data from 2008. I did add the following to the props.conf located in ..Splunk/etc/system/local.

[default]

MAX_DAYS_AGO = 3650

Also I am running v6.1.2 on Windows.

Tags (2)
1 Solution

somesoni2
Revered Legend

Check the "frozenTimePeriodInSecs" property for the index on which this is imported. This defines the data retiring policy for the index (events older than frozenTimePeriodInSecs value in sec, will get deleted).

By default its value is 188697600 which is 6 years and your data may be older that that. If the value for your index is less than or equal to this, that could be the cause for it. Just bump the value to higher than this, if that is the case.

View solution in original post

somesoni2
Revered Legend

Check the "frozenTimePeriodInSecs" property for the index on which this is imported. This defines the data retiring policy for the index (events older than frozenTimePeriodInSecs value in sec, will get deleted).

By default its value is 188697600 which is 6 years and your data may be older that that. If the value for your index is less than or equal to this, that could be the cause for it. Just bump the value to higher than this, if that is the case.

sclem
Engager

Success! I got this to work on a new test box. I confirmed it was working by restarting Splunk after indexing the logs and checking the results of a few queries.

Before indexing I didn't have an indexes.conf, so I copied the sample from ..Splunk/etc/system/default to ..Splunk/etc/system/local and changed frozenTimePeriodInSecs to

frozenTimePeriodInSecs = 377395200

Many thanks!

Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...