I am running the following search:
index=_internal source=*metrics.log
earliest=07/01/2015:00:00:0
latest=08/10/2015:23:59:59
| eval GB=kb/(1024*1024)
| search group="per_index_thruput"
| timechart span=1d sum(GB) by series limit=15
But when I run it, the chart data only goes back to July 13th.
Is there any way I can change the search to display all the data?
~Ed
The default retention period of the _internal index is 30 days (in indexes.conf on Indexers, frozenTimePeriodInSecs = 2592000). That's why the data that you see is approximately 30 days old. (there is no data to show beyond that point)
The default retention period of the _internal index is 30 days (in indexes.conf on Indexers, frozenTimePeriodInSecs = 2592000). That's why the data that you see is approximately 30 days old. (there is no data to show beyond that point)
Oh heck. thanks for the info.
~Ed