Getting Data In

search results only for 3 months

splunkuseradmin
Path Finder

I have data indexinng from January and have a query trying to run for last 6 months or more than 6 months, but search results events only till march(last 3 months). how to increase search events limit ?
I dont want to force query using "earliest=-6mon@mon" "latest=@mon", instead is there any other way ? as i need to save that as a report and use loadjob using timepicker in a dashboard. so cannot use earliest and latest in search itself.

0 Karma

woodcock
Esteemed Legend

If you are using Accelerated Data Models, then you extend the backfill to farther back.
If you are an admin, you can extend your index retention in indexes.conf
If you are an admin, you may be able to create a summary index and save a copy/summary of your events there.
See docs.splunk.com for details.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you can only search back 3 months even when specifying earliest=-6mon then you probably only have 3 months of data in that index. There's nothing you can do in a search to locate data that's not there. Run this query to see how far back you can go with your query.

| tstats earliest(_time) as first, latest(_time) as last where index=foo | fieldformat first=strftime(first,"%c") | fieldformat last=strftime(last,"%c")
---
If this reply helps you, Karma would be appreciated.
0 Karma

splunkuseradmin
Path Finder

I know the data is bieng indexing since January 22nd, when you search with time range to only January or any specific month i can see data but when i search for last 6 months I get only past 3 months. i belive some thing is stopping search to go more back before march 27th.. i only get data from march 27th.
is there any limitations on userid's (my role :power user).

below is the output fro index="myindex"
first last
Sun Jan 6 08:23:35 2019 Thu Jul 4 12:26:39 2019

0 Karma
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...