I need to retrieve results for the last 30 days, b...

gandusarath · ‎12-11-2015

I have this search:

 index=os sourcetype=ps host=rtl*pxiw01* (DataFlowEngine AND *Inbound) earliest=-30d | multikv fields RSZ_KB,VSZ_KB,COMMAND,ARGS | search (COMMAND="DataFlowEngine" AND ARGS=*Inbound) 
| timechart span=1d max(VSZ_KB) as VSZ by host .

I need to retrieve results for last 30 days, but my search head is retrieving results only for the last 3 days. Can someone please advise on how to get results for 30 days?

jkat54 · ‎12-14-2015

You used earliest=-3d but do you know of _index_earliest ? and _index_latest ?

Also did you change the timepicker or just specify earliest in your search?

Finally, are the dates right on all your data? Say 27 days of your data was from 2001 due to an incorrect timestamp... Splunk would index these events as if they were 14 years ago, not last 30d. So in this case, you'd be interested in _index_earliest=-3d instead.

Richfez · ‎12-11-2015

Do you have more than 3 days of data in there? If you remove ALL references to time and just run your base search with the time selector set to "all time", what do you get?

This search, that is:

index=os sourcetype=ps host=rtl*pxiw01* (DataFlowEngine AND *Inbound)

Let us know what you find.

MuS · ‎12-13-2015

In addition run this command to see when the index saw the first event form the hosts host=rtl*pxiw01*:

 | metadata type=host index=os | search host=rtl*pxiw01* | convert ctime(firstTime) AS TimeOfFirstEvent | sort - firstTime

I need to retrieve results for the last 30 days, but why is my search only returning results for the last 3 days?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!