Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

search results only for 3 months

splunkuseradmin
Path Finder
‎07-03-2019 02:30 PM

I have data indexinng from January and have a query trying to run for last 6 months or more than 6 months, but search results events only till march(last 3 months). how to increase search events limit ?
I dont want to force query using "earliest=-6mon@mon" "latest=@mon", instead is there any other way ? as i need to save that as a report and use loadjob using timepicker in a dashboard. so cannot use earliest and latest in search itself.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-08-2019 07:04 PM

If you are using Accelerated Data Models, then you extend the backfill to farther back.
If you are an admin, you can extend your index retention in indexes.conf
If you are an admin, you may be able to create a summary index and save a copy/summary of your events there.
See docs.splunk.com for details.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-03-2019 06:56 PM

If you can only search back 3 months even when specifying earliest=-6mon then you probably only have 3 months of data in that index. There's nothing you can do in a search to locate data that's not there. Run this query to see how far back you can go with your query.

| tstats earliest(_time) as first, latest(_time) as last where index=foo | fieldformat first=strftime(first,"%c") | fieldformat last=strftime(last,"%c")
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

splunkuseradmin
Path Finder
‎07-04-2019 12:26 PM

I know the data is bieng indexing since January 22nd, when you search with time range to only January or any specific month i can see data but when i search for last 6 months I get only past 3 months. i belive some thing is stopping search to go more back before march 27th.. i only get data from march 27th.
is there any limitations on userid's (my role :power user).

below is the output fro index="myindex"
first last
Sun Jan 6 08:23:35 2019 Thu Jul 4 12:26:39 2019

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...