When dealing with historical data in Splunk, there are a few factors to consider. i) Check if your Splunk deployment has custom retention policies configured. You can adjust these policies to retain data for a longer period of time. I think that you should read at https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Setaretirementandarchivingpolicy https://docs.splunk.com/Documentation/Splunk/latest/Admin/Indexesconf

Understand what security monitoring means and learn more about it and Remember, the best way to learn is by doing. Start with some basic use cases and gradually progress to more advanced ones. You can also join online communities and forums to connect with other Splunk users and ask questions. https://www.splunk.com/en_us/blog/security/introducing-splunk-security-use-cases.html https://lantern.splunk.com/Security/Getting_Started/Identifying_Splunk_Enterprise_Security_use_cases_and_data_sources https://www.splunk.com/en_us/resources/videos/splunk-enterprise-security-use-case-library.html  

Splunk keeps a seven-day backup of data and config files, but that probably does not include dashboards. The https://splunkbase.splunk.com/app/5061 app purports to support dashboards, but I've never used it. In the worst case, you can edit the dashboard and copy-paste the source into git.

I almost forgot one of the best resources to learn is https://bots.splunk.com/login. You will find rebuild detection in there that you can copy out and use. Is also has games and challenges. I believe you login for this site will work there. You will find it very useful.  https://bots.splunk.com/login

Try it like this: (I don't think you can change the time from what was used in the base search, and there should only be one level of <search></search>) <chart depends="$abc$"> <title>Chart1</title> <search base="basesearch"> <query> |search host="INFO" OR host="ERROR" panel=$panel1$ |timechart span=$TimeSpan$m count by panel usenull=f useother=f | eventstats sum("host") as _host</query> <done> <eval abc="computer1"</eval> </done> </search> <option name="charting.axisTitleY.visibility">collapsed</option> <option name="charting.chart">column</option> <option name="charting.drilldown">all</option> <option name="charting.fieldColors">{"host":0xFFFF00}</option> <option name="charting.legend.placement">bottom</option> <option name="refresh.display">progressbar</option> </chart>

Still struggling to get our 9.1.3 forwarders working on RHEL7 and RHEL8 on DISA STIGed machines after the upgrade.  Nothing I can find online, even here, to help yet.  tcp_conn-open-afux ossocket_connect failed with no such file or directory' messages and SplunkForwarder.service just vanishes.  Really?  Tried yum erase and rm -R /opt/splunkforwarder and new install and still no-go.   Worked before as splunk user.  <aargh!> Worked before the upgrade.  Going back to older version for now since the Cyber Team is really miffed. Update 1: Well - added splunkfwd account to the root group and made progress, but not 100%.  Will try root:root as experiment - it does appear to be permission issues on STIG locked down machine even  though splunkfwd:splunkfwd owns all /opt/splunkforwarder/ files and directories. Update2: Running as root has not fixed the issue.  'netstat -an|grep 9997 on forwarder and indexer machines shows connections, 'Forwarder: Deployment' screen shows the non-working forwarders but 'Forwarder Management' screen does not show the forwarders.  The 9.1.2 and 8.2.2.1 (yeah, old - but there are reasons) still work fine forwarding to the 9.1.3 indexer.  Hoping 9.2.0.1 fixes this or I must roll back.