Solved: How do I edit my timechart search to show all requ...

OldManEd · ‎08-11-2015

I am running the following search:

index=_internal source=*metrics.log 
earliest=07/01/2015:00:00:0 
latest=08/10/2015:23:59:59 
| eval GB=kb/(1024*1024) 
| search group="per_index_thruput" 
| timechart span=1d sum(GB) by series limit=15

But when I run it, the chart data only goes back to July 13th.

Is there any way I can change the search to display all the data?

~Ed

somesoni2 · ‎08-11-2015

The default retention period of the _internal index is 30 days (in indexes.conf on Indexers, frozenTimePeriodInSecs = 2592000). That's why the data that you see is approximately 30 days old. (there is no data to show beyond that point)

View solution in original post

somesoni2 · ‎08-11-2015

The default retention period of the _internal index is 30 days (in indexes.conf on Indexers, frozenTimePeriodInSecs = 2592000). That's why the data that you see is approximately 30 days old. (there is no data to show beyond that point)

OldManEd · ‎08-11-2015

Oh heck. thanks for the info.
~Ed

How do I edit my timechart search to show all requested data?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation