Hi! How can i find all the violations in the past? I have tried using this search and change time to all time but only get 31 rows ( one month)
index=_internal source=*license_usage.log type=Usage | timechart span=1d eval(round(sum(b)/1024/1024/1024,2)) AS "Total GB Used"
Why is this search not showing all time? What am i missing?
Cheers!
Hi,
By default, the retention of _internal index is 30 days. If you do not modify the default settings, you have no more data after 30 days (frozenTimePeriodInSecs = 2592000)
To avoid this, change this settings. Create indexes.conf on the directory SPLUNK_HOME/etc/system/local/indexes.conf and put this settings :
[_internal]
frozenTimePeriodInSecs = xxxxxxxxxx
Regards,
Hi,
By default, the retention of _internal index is 30 days. If you do not modify the default settings, you have no more data after 30 days (frozenTimePeriodInSecs = 2592000)
To avoid this, change this settings. Create indexes.conf on the directory SPLUNK_HOME/etc/system/local/indexes.conf and put this settings :
[_internal]
frozenTimePeriodInSecs = xxxxxxxxxx
Regards,
Thanks! Makes sense!