I'm trying to troubleshoot a situation where recently indexed data was searchable up until Splunk was restarted. My license is valid, and I have no hard overage warnings.
I've even tried this on a test box with a fresh install of Splunk. After the restart the indicator on the right side of the home screen under Data went from 50+ million items to "Waiting for data..."
For full disclosure I am trying to index some historical data from 2008. I did add the following to the props.conf located in ..Splunk/etc/system/local.
[default]
MAX_DAYS_AGO = 3650
Also I am running v6.1.2 on Windows.
Check the "frozenTimePeriodInSecs" property for the index on which this is imported. This defines the data retiring policy for the index (events older than frozenTimePeriodInSecs value in sec, will get deleted).
By default its value is 188697600 which is 6 years and your data may be older that that. If the value for your index is less than or equal to this, that could be the cause for it. Just bump the value to higher than this, if that is the case.
Check the "frozenTimePeriodInSecs" property for the index on which this is imported. This defines the data retiring policy for the index (events older than frozenTimePeriodInSecs value in sec, will get deleted).
By default its value is 188697600 which is 6 years and your data may be older that that. If the value for your index is less than or equal to this, that could be the cause for it. Just bump the value to higher than this, if that is the case.
Success! I got this to work on a new test box. I confirmed it was working by restarting Splunk after indexing the logs and checking the results of a few queries.
Before indexing I didn't have an indexes.conf, so I copied the sample from ..Splunk/etc/system/default to ..Splunk/etc/system/local and changed frozenTimePeriodInSecs to
frozenTimePeriodInSecs = 377395200
Many thanks!