I usually run report month by month from Januari untill now (and i still have the report), and now i want to get my March dan May data to review it but the no data at all. I tried run search from Januari too and no data, but i can get my June data.
Is there any limitation from splunk to get past data?
FYI, i don't run any archieving.
Start in the monitoring console, in particular the indexes view , this should advise if your indexes are full and if the data has therefore been deleted due to the size limits been reached in the indexes.conf file.
Splunk has no limitations in getting data from a few months or years ago...
If you refer to my link I have linked to the monitoring console documentation and a mention of the indexes page. Also refer to the overview .
Well what does the monitoring console page say ? If it confirms that it has 6 month old data in the index then it is still there.
If it has been removed / the index is out of space then the data has likely been frozen/deleted and you would need to restore from backup and go through a restoration of data...
Assuming your latest event exists in that time range, yes.
The data will exist for 5.9 years if you do not reach the index size limits, reaching the index size limits will also result in the data freezing...