https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-logs/m-p/15784#M1813 <P>we are in the process of investigating splunk for our IT datacenter. </P> <P>Does splunk store the old events that occured on a particular system. </P> Sat, 19 Jun 2010 00:40:09 GMT mihika 2010-06-19T00:40:09Z https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-logs/m-p/15784#M1813 <P>we are in the process of investigating splunk for our IT datacenter. </P> <P>Does splunk store the old events that occured on a particular system. </P> Sat, 19 Jun 2010 00:40:09 GMT https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-logs/m-p/15784#M1813 mihika 2010-06-19T00:40:09Z https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-logs/m-p/15785#M1814 <P>I'm not sure what you mean by "old logs"? I'm guessing your question has to do with how splunk stores events in general. There is also the discussion about event-retention policies which has to do with how long your events (or logs) are kept around after they have been indexed by splunk, but since your evaluating splunk, I'm guessing you aren't running to that just yet.</P> <P>Splunk stores all log as indexed events in a proprietary database-like "index" under your splunk install location.</P> <P>If your a looking for sizing information, it may be helpful to visit the directory where your data is stored. Out of the box, splunk contains several indexes (sometimes called "databases"). Here is the location of your "main" (default) index:</P> <PRE><CODE>$SPLUNK_HOME/var/lib/splunk/defaultdb </CODE></PRE> <P>The docs should give you a better idea of how this works. I would start here: <A href="http://www.splunk.com/base/Documentation/latest/Admin/WhatsaSplunkindex" rel="nofollow">What's a Splunk index?</A> and follow the various links provided.</P> Sat, 19 Jun 2010 00:52:02 GMT https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-logs/m-p/15785#M1814 Lowell 2010-06-19T00:52:02Z https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-logs/m-p/15786#M1815 <P>Please be more specific with your question and provide some context about what you are asking.</P> Sat, 19 Jun 2010 11:28:34 GMT https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-logs/m-p/15786#M1815 gkanapathy 2010-06-19T11:28:34Z https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-logs/m-p/15787#M1816 <P>If you are looking for logs for application errors (<EM>splunkd.log, python.log, etc.</EM>), you can find them here...</P> <PRE><CODE>$SPLUNK_HOME/var/log/splunk/ </CODE></PRE> Sat, 16 Feb 2013 13:56:29 GMT https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-logs/m-p/15787#M1816 slierninja 2013-02-16T13:56:29Z https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-logs/m-p/15788#M1817 <P>Yes, Splunk will store the events that were monitored and send to him by forwarders, or syslog or scripts, or directly monitored etc...</P> <P>The events are stored in in the splunk indexers in indexes in a timestamp order.<BR /> By default the retention size per index is 500GB and the time retention is 6 years. It can be changed of course depending of your needs and of your storage.</P> Sat, 16 Feb 2013 22:36:58 GMT https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-logs/m-p/15788#M1817 yannK 2013-02-16T22:36:58Z