What are the permissions on the hot buckets?

Now that I stopped Splunk and started it back up again. I can only search back to a few minutes ago. Very strange.

Yes permissions are the same

I ran the splunk fsck --all. No results were returned.

Those permissions seem a bit restrictive. Are they the same on the searchable and non-searchable buckets?

db_1374688147_1374668673_3725_79F4ED3B-4785-4ECF-8AE6-AA7FE75EEAA9
Wednesday, July 24, 2013 1:49:07 PM to Wednesday, July 24, 2013 8:24:33 AM

db_1375807093_1375787134_3841_79F4ED3B-4785-4ECF-8AE6-AA7FE75EEAA9
Tuesday, August 06, 2013 12:38:13 PM to Tuesday, August 06, 2013 7:05:34 AM

*Data is contained in that file*
[root@feprsplunk01 db_1375807093_1375787134_3841_79F4ED3B-4785-4ECF-8AE6-AA7FE75EEAA9]# ls -l
total 622264
-rw------- 1 root root 451868154 Aug 6 09:34 1375807093-1375787134-2736230854333308492.tsidx

You can also run a check on your buckets.

splunk stop
splunk fsck --all
splunk start

Here are the details on "splunk fsck"
http://wiki.splunk.com/Community:PostCrashFsckRepair

You know, the buckets are named 'earliesttimestamp_latesttimestamp_uniquenumber', and the times are epoch times. Convert one or two of the non-searchable ones: http://www.epochconverter.com/

Yes, if I go to say the windows DB directory via ssh, I can see all the new and old files.

Yes, I can search all indexes and get only the new events since restarting.

Let me see if I have this straight.

1) You can see the searchable and non-searchable buckets in the Same index/database.
2) When you search that index/database you only see events since the restart?

Maybe the buckets configuration. Could you check configurations?

Yes the unix servers are not going to the heavy forwarder. All events since the restart have been indexed. Yes, splunk has done something crazy. I was wondering if there is a corrupt DB file or something since splunk starts with newer events and goes backwards.

You win the splunk did something weird award.

I'm gonna have to think about that one.

It is indexing new events as it should from both unix and windows. What I lost were events prior to restarting the service. I can search on all events since the restart.

So, you're not getting data from either unix (not passing through the heavy forwarder, or from windows?

On the main indexer, I have syslog and Splunk forwarders from unix. On the heavy forwarder, it is just windows servers from Splunk forwarders that I am filtering out some events before forwarding on.

What type of inputs?