Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Data vanished from search

Kindred
Path Finder
‎03-12-2014 06:20 AM

Hey,

We have a 20GB index that is showing an earliest date of 27th Dec 2013. The current size of the index is about 19.995GB, so this leads me to believe it is full and rolling data for deletion, with the earliest entry still being over 3 months ago.

However, when I search for events from last month (say 1st Feb) I don't see any data at all.

What could have caused the data to be removed from search, given the index thinks its has data going back 3 months?

How can I verify the current retention time? I have a feeling the earliest date reference in the index configuration page is lying to me.

Tags (3)
0 Karma
Reply

bshuler_splunk
Splunk Employee
Splunk Employee
‎03-12-2014 07:13 AM

Odds are you search is bad. When I am not seeing what I expect, I eliminate constraints until I see the data. Most times I added a constraint without understanding it fully. I would try a search like this:

index=main | stats min(_time) as time | eval time=strftime(time, "%H:%M:%S %m-%d-%y")

over all time, and see what I get.

0 Karma
Reply

Kindred
Path Finder
‎03-12-2014 07:35 AM

I have literally just specified index=myindex and set the custom timeframe.

I have a feeling the "earliest date" column in the index configuration is lying to me, and it is actually rolling over faster than I thought.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...