Splunk Search

Splunk Data and apps all got deleted

abhijitnath89
Path Finder

All data and apps from our distributed architecture suddenly got deleted, including indexes and other configurations.
Anyone faced this issue before? Any way to check how this happened?

0 Karma

shiv1593
Communicator

If you're running on linux, then you can look into Audit logs of the system under /var/log/audit. Splunk has it's own audit logs too, so you can look them up as well under /var/log/splunk/audit.log. These, couple with the knowledge of who logged in to your system, during the time when the data went missing by analyzing /var/log secure logs, you may begin your investigation.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...

span_metrics: The OpenTelemetry-Idiomatic Way to See Inside Your Services

You open a trace in Splunk Observability Cloud and everything looks fine. One root span, order-pipeline, with ...