Solved: How do I edit my timechart search to show all requ...

OldManEd · ‎08-11-2015

I am running the following search:

index=_internal source=*metrics.log 
earliest=07/01/2015:00:00:0 
latest=08/10/2015:23:59:59 
| eval GB=kb/(1024*1024) 
| search group="per_index_thruput" 
| timechart span=1d sum(GB) by series limit=15

But when I run it, the chart data only goes back to July 13th.

Is there any way I can change the search to display all the data?

~Ed

somesoni2 · ‎08-11-2015

The default retention period of the _internal index is 30 days (in indexes.conf on Indexers, frozenTimePeriodInSecs = 2592000). That's why the data that you see is approximately 30 days old. (there is no data to show beyond that point)

View solution in original post

somesoni2 · ‎08-11-2015

The default retention period of the _internal index is 30 days (in indexes.conf on Indexers, frozenTimePeriodInSecs = 2592000). That's why the data that you see is approximately 30 days old. (there is no data to show beyond that point)

OldManEd · ‎08-11-2015

Oh heck. thanks for the info.
~Ed

How do I edit my timechart search to show all requested data?

Can’t make it to .conf25? Join us online!

Index This | How many sevens are there between 1 and 100?

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

What Is Splunk? Here’s What You Can Do with Splunk

Are you a member of the Splunk Community?

How do I edit my timechart search to show all requested data?

Can’t make it to .conf25? Join us online!

Index This | How many sevens are there between 1 and 100?

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

What Is Splunk? Here’s What You Can Do with Splunk