×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
doniaelansasy
Loves-to-Learn Lots
Member since: ‎03-25-2025
‎03-31-2025
Community Statistics
Posts 5
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎03-25-2025
Activity Feed
View All

Re: Missing events in a sourcetype

by in Splunk Search
‎03-26-2025 02:41 AM
‎03-26-2025 02:41 AM
"There was too much data, or it was too old, causing the oldest events to be pushed out of the indexes." Regarding this line, how is it relevant if it is too much data and will it matter if the data of the event log itself is old however it was only indexed 1 week ago? Does this mean that some event logs could be overwritten? ... View more

Re: Missing events in a sourcetype

by in Splunk Search
‎03-26-2025 02:38 AM
‎03-26-2025 02:38 AM
I am pretty sure that it wont roll to frozen state yet as it was just indexed a week ago and the retention policy is over 6 months. I never even used the delete command before. And yes I have permissions. ... View more

Re: Missing events in a sourcetype

by in Splunk Search
‎03-26-2025 02:35 AM
‎03-26-2025 02:35 AM
I only edited the inputs.conf in a specific app ... View more

Re: Missing events in a sourcetype

by in Splunk Search
‎03-25-2025 03:30 AM
‎03-25-2025 03:30 AM
I have searched for the events using both new and old sourcetypes and date range of (All Time) to no avail. I am positive I didn't delete anything manually.  ... View more

Missing events in a sourcetype

by in Splunk Search
‎03-25-2025 02:36 AM
‎03-25-2025 02:36 AM
I’ve encountered an issue while working on a configuration for a Splunk deployment. I was creating a stanza in the inputs.conf file within an app that would be pushed to multiple clients via the deployment server. The goal was to retrieve specific data across multiple clients. However, I noticed that the data retrieval wasn't working as expected. While troubleshooting the issue, I made several changes to the stanza, including tweaking key values. In the process, I tried to change the source type in the stanza. Unfortunately, after making this change, all the events that had already been indexed and retrieved vanished. I'm looking for guidance on how to recover the missing events or if there’s any way to prevent this in the future when modifying the source type in inputs.conf. Any insights or suggestions on how to address this would be greatly appreciated! Thank you in advance for your help! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎03-31-2025 04:20 AM