Splunk Search

Unable to see data indexed 4 hours ago

PN3000
Loves-to-Learn

Hi,

Data was indexed 4 hours ago. At the time i was able to see the data when searching the relevant index. 4 hours later that data is no longer there when running the same search.

index=abc123 source=mysource

I can see other data in the index, and retention period is configured for 3 months.

How can i view this data? What can i check to see 

Splunk On prem - 7.3.15

Thanks

PN 

 

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust
What is the time window of your search?
---
If this reply helps you, Karma would be appreciated.
0 Karma

PN3000
Loves-to-Learn

As it's a newly created source, the search window is 'All Time'. 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...