Splunk Search

What happened to the data?

SumanPalisetty
Path Finder

Hi,

I have a question for my understanding. Kindly help.

You had data in the past, one fine day if you see there is no data, how do you troubleshoot?

Regards

Suman P.

Labels (1)
Tags (2)
0 Karma
1 Solution

FrankVl
Ultra Champion

This page in Splunk Docs is a good starting point:

https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Cantfinddata

In the end in boils down to understanding how exactly that data is supposed to come into splunk and then in a structured way troubleshoot which of the components in the chain that handles that data ingest is broken. The exact steps will differ depending on the ingest mechanism.

View solution in original post

FrankVl
Ultra Champion

This page in Splunk Docs is a good starting point:

https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Cantfinddata

In the end in boils down to understanding how exactly that data is supposed to come into splunk and then in a structured way troubleshoot which of the components in the chain that handles that data ingest is broken. The exact steps will differ depending on the ingest mechanism.

SumanPalisetty
Path Finder

Hi,

Please give the answer in  couple of lines for both the scenarios. For

1. Data from a certain date or certain sourcetype or index is missing

2. All the data is missing

Regards

Suman P.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Check retention periods for your indexes if data past a certain date is missing

Try loosening the filters on your searches to see if the data appears

Check the status of the indexes (how much data do they have in them)

ITWhisperer
SplunkTrust
SplunkTrust

You are going to have to be more specific - is it that all of your data is "missing" or only prior to a particular point in time? Is it that some data is found by some searches but not by others? Can you narrow down the circumstances which lead to the missing data?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...