Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I need to retrieve results for the last 30 days, but why is my search only returning results for the last 3 days?

gandusarath
Engager
‎12-11-2015 06:19 AM

I have this search:

 index=os sourcetype=ps host=rtl*pxiw01* (DataFlowEngine AND *Inbound) earliest=-30d | multikv fields RSZ_KB,VSZ_KB,COMMAND,ARGS | search (COMMAND="DataFlowEngine" AND ARGS=*Inbound) 
| timechart span=1d max(VSZ_KB) as VSZ by host .

I need to retrieve results for last 30 days, but my search head is retrieving results only for the last 3 days. Can someone please advise on how to get results for 30 days?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎12-14-2015 04:03 AM

You used earliest=-3d but do you know of _index_earliest ? and _index_latest ?

Also did you change the timepicker or just specify earliest in your search?

Finally, are the dates right on all your data? Say 27 days of your data was from 2001 due to an incorrect timestamp... Splunk would index these events as if they were 14 years ago, not last 30d. So in this case, you'd be interested in _index_earliest=-3d instead.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎12-11-2015 08:06 AM

Do you have more than 3 days of data in there? If you remove ALL references to time and just run your base search with the time selector set to "all time", what do you get?

This search, that is:

index=os sourcetype=ps host=rtl*pxiw01* (DataFlowEngine AND *Inbound)

Let us know what you find.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎12-13-2015 01:03 PM

In addition run this command to see when the index saw the first event form the hosts host=rtl*pxiw01*:

 | metadata type=host index=os | search host=rtl*pxiw01* | convert ctime(firstTime) AS TimeOfFirstEvent | sort - firstTime
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Search APIを使えば調査過程が残せます

   このゲストブログは、JCOM株式会社の情報セキュリティ本部・専任部長である渡辺慎太郎氏によって執筆されました。 Note: This article is published in both Japanese ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...