Re: Why cant I see some data that I was able to se...

muez · ‎03-08-2020

Notes
- Our retention policy is 3 years for that abc index.
- When I exported the result of that query before 1 month, I was able to see that particular data
- Today when I run exact same query, I can see some missing data.
- To give you the detail, today I am seeing approx 20K less events out of 1L events.
- The date range is exact same

darrenfuller · ‎03-09-2020

On your indexing layer, run the following from the command line:

splunk btool indexes list <INDEXNAME> --debug

Replacing with the name of the index that you are seeing issues with. There are a few properties to take note of:

1) coldPath.maxDataSizeMB -- The total size in MB of the Cold path for data. If this size is exceeded, data will roll to frozen (and if there is no Cold-To-Frozen archiving strategy in place, will be deleted)
2) frozenTimePeriodInSecs -- The number of seconds before data is frozen
3) maxTotalDataSizeMB -- The maximum total size across all hot/warm/cold data locations

See if any of these are lower than you expect.

manjunathmeti · ‎03-08-2020

Check if data is deleted because of retention or max size in last 1 month.

index=_internal sourcetype=splunkd INDEX_NAME component=BucketMover frozenTimePeriodInSecs OR maxTotalDataSizeMB

muizash · ‎03-09-2020

@manjunathmeti The above query is not running, and also data data cant be deleted because retention is 3 years and time stamp of data was in january 2020 only

Why cant I see some data that I was able to see before 1 month? Even if retention policy of index is 3 years

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio