Splunk Search

Data in Index Disappears After Restart

sclem
Engager

I'm trying to troubleshoot a situation where recently indexed data was searchable up until Splunk was restarted. My license is valid, and I have no hard overage warnings.

I've even tried this on a test box with a fresh install of Splunk. After the restart the indicator on the right side of the home screen under Data went from 50+ million items to "Waiting for data..."

For full disclosure I am trying to index some historical data from 2008. I did add the following to the props.conf located in ..Splunk/etc/system/local.

[default]

MAX_DAYS_AGO = 3650

Also I am running v6.1.2 on Windows.

Tags (2)
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Check the "frozenTimePeriodInSecs" property for the index on which this is imported. This defines the data retiring policy for the index (events older than frozenTimePeriodInSecs value in sec, will get deleted).

By default its value is 188697600 which is 6 years and your data may be older that that. If the value for your index is less than or equal to this, that could be the cause for it. Just bump the value to higher than this, if that is the case.

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Check the "frozenTimePeriodInSecs" property for the index on which this is imported. This defines the data retiring policy for the index (events older than frozenTimePeriodInSecs value in sec, will get deleted).

By default its value is 188697600 which is 6 years and your data may be older that that. If the value for your index is less than or equal to this, that could be the cause for it. Just bump the value to higher than this, if that is the case.

sclem
Engager

Success! I got this to work on a new test box. I confirmed it was working by restarting Splunk after indexing the logs and checking the results of a few queries.

Before indexing I didn't have an indexes.conf, so I copied the sample from ..Splunk/etc/system/default to ..Splunk/etc/system/local and changed frozenTimePeriodInSecs to

frozenTimePeriodInSecs = 377395200

Many thanks!

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...