Solved: It is safe to change all "maxBackupIndex" keys dir...

linspec9721 · ‎09-22-2022

Hello folks,

I am new to splunk. We need to change log indexing from 5 to 3 on Splunk Enterprise for Windows.

It is safe to change all "maxBackupIndex" keys directly in /etc/log.cfg or there is a better way to achieve that goal?

Thank you

isoutamo · ‎09-23-2022

Hi

the official way is to create local-log.cfg file where to do your local changes. Another way is use CLI like

splunk set log-level TailingProcessor -level DEBUG

https://docs.splunk.com/Documentation/Splunk/9.0.1/Troubleshooting/Enabledebuglogging

r. Ismo

View solution in original post

linspec9721 · ‎09-23-2022

ok thank you all

richgalloway · ‎09-22-2022

I suppose it depends on what you mean by "safe". Yes, you can do it without harming your Splunk installation. Keep in mind a couple of things before you make the change: 1) you will be changing a delivered file so you will starting seeing "File Integrity" messages in Splunk; and 2) upgrading Splunk will overwrite your changes to log.cfg.

---
If this reply helps you, Karma would be appreciated.

isoutamo · ‎09-23-2022

Hi

the official way is to create local-log.cfg file where to do your local changes. Another way is use CLI like

splunk set log-level TailingProcessor -level DEBUG

https://docs.splunk.com/Documentation/Splunk/9.0.1/Troubleshooting/Enabledebuglogging

r. Ismo

It is safe to change all "maxBackupIndex" keys directly in /etc/log.cfg or there is a better way to achieve that goal?

other

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases