Hello folks,
I am new to splunk. We need to change log indexing from 5 to 3 on Splunk Enterprise for Windows.
It is safe to change all "maxBackupIndex" keys directly in /etc/log.cfg or there is a better way to achieve that goal?
Thank you
Hi
the official way is to create local-log.cfg file where to do your local changes. Another way is use CLI like
splunk set log-level TailingProcessor -level DEBUG
https://docs.splunk.com/Documentation/Splunk/9.0.1/Troubleshooting/Enabledebuglogging
r. Ismo
ok thank you all
I suppose it depends on what you mean by "safe". Yes, you can do it without harming your Splunk installation. Keep in mind a couple of things before you make the change: 1) you will be changing a delivered file so you will starting seeing "File Integrity" messages in Splunk; and 2) upgrading Splunk will overwrite your changes to log.cfg.
Hi
the official way is to create local-log.cfg file where to do your local changes. Another way is use CLI like
splunk set log-level TailingProcessor -level DEBUG
https://docs.splunk.com/Documentation/Splunk/9.0.1/Troubleshooting/Enabledebuglogging
r. Ismo