I have an index "main" and several sources associated with this index. The size limit of the index has been reach (150MB), but when I look for the earliest event, there is a difference between the sources.
Exemple:
source1 - first time event is August/2015 (50005771 events)
source2 - first time event is January/2016 (127797272 events)
source3 - first time event is March/2016 (982610866 events)
source4 - first time event is March/2016 (60681838 events)
To get the first time event I used the search bellow.
| metadata type=sources index=main | convert ctime(firstTime) | convert ctime(lastTime) | convert ctime(recentTime)
Why Splunk doesn't index the data since August/2015 for source 2, 3 and 4? The sources shouldn't have the same first time event?
↧