I have data indexinng from January and have a query trying to run for last 6 months or more than 6 months, but search results events only till march(last 3 months). how to increase search events limit ?
I dont want to force query using "earliest=-6mon@mon" "latest=@mon", instead is there any other way ? as i need to save that as a report and use loadjob using timepicker in a dashboard. so cannot use earliest and latest in search itself.
If you are using Accelerated Data Models, then you extend the backfill to farther back.
If you are an admin, you can extend your index retention in indexes.conf
If you are an admin, you may be able to create a summary index and save a copy/summary of your events there.
See docs.splunk.com for details.
If you can only search back 3 months even when specifying earliest=-6mon then you probably only have 3 months of data in that index. There's nothing you can do in a search to locate data that's not there. Run this query to see how far back you can go with your query.
| tstats earliest(_time) as first, latest(_time) as last where index=foo | fieldformat first=strftime(first,"%c") | fieldformat last=strftime(last,"%c")
I know the data is bieng indexing since January 22nd, when you search with time range to only January or any specific month i can see data but when i search for last 6 months I get only past 3 months. i belive some thing is stopping search to go more back before march 27th.. i only get data from march 27th.
is there any limitations on userid's (my role :power user).
below is the output fro index="myindex"
first last
Sun Jan 6 08:23:35 2019 Thu Jul 4 12:26:39 2019