Re: How to increase logs retention period?

islam · ‎07-16-2020

Hi,

we are asked to increase our retention period of splunk logs to 1 year.

we need to put our data to be searchable for 1 year.

i'm very confused about hot, warm and cold data, are all of them is searchable or cold data is not searchable?

how can we configure this retenion period?

isoutamo · ‎07-16-2020

Hi

I hope that this will clarify it. https://sideviewapps.com/apps/cisco-cdr-reporting-and-analytics/documentation/administrative-concept...
r. Ismo

islam · ‎07-18-2020

Thank you so much, it's a very useful article.

also i have one question: the values of frozenTimePeriodInSecs and maxTotalDataSizeMB should be put under every index or just one time at the beginning of indexes.cong file ?

isoutamo · ‎07-19-2020

If those are same for all your indexes then you can put those on default stanza and if not then you should add those to the individual indexes.

islam · ‎07-20-2020

can i put specific period for hot and cold data, like hot data to be 6 months and cold data to be 6 moths also ?

isoutamo · ‎07-20-2020

No, only cold period can defined as seconds. Hot/warm is defined by bucket count and/or size of homePath.
r. Ismo

How to increase logs retention period?

index

indexer

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms