Solved: missing results from search to display indexed vol...

remy06 · ‎07-31-2011

I intend to set this as a saved search that will show the daily indexed volume for the previous month.

Here's the search:

index=_internal todaysBytesIndexed LicenseManager-Audit source=*license_audit.log | eval totalMB=todaysBytesIndexed/1024/1024 | timechart span=1d sum(totalMB)

And the time range:

Start: -1mon@mon

End: @mon

However,I noticed the result of the first few days of the month is always blank.

For eg.

_time sum(totalMB) 1 7/1/11 12:00:00.000 AM 2 7/2/11 12:00:00.000 AM 3 7/3/11 12:00:00.000 AM 4 7/4/11 12:00:00.000 AM 5 7/5/11 12:00:00.000 AM 2170.493555 6 7/6/11 12:00:00.000 AM 1543.009449 ... ...

gkanapathy · ‎08-01-2011

The default frozenTimePeriodInSecs, i.e., the retention time, for the _internal index where this data is indexed is only 2419200 seconds, i.e., 28 days. This means that data may be stored for as little as 28 days. When combined with a default bucket size of only 100 MB for the _internal index, this means that you are very unlikely to have data much more than that.

These are set in the default indexes.conf file. You can of course override and increase this default.

View solution in original post

gkanapathy · ‎08-01-2011

The default frozenTimePeriodInSecs, i.e., the retention time, for the _internal index where this data is indexed is only 2419200 seconds, i.e., 28 days. This means that data may be stored for as little as 28 days. When combined with a default bucket size of only 100 MB for the _internal index, this means that you are very unlikely to have data much more than that.

These are set in the default indexes.conf file. You can of course override and increase this default.

missing results from search to display indexed volume

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor