https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-notable-events-logs-and-how-to-know/m-p/344984#M63409 <P>Hi faisal_saifi,<BR /> you have many ways to have information (like retention period) about your indexes, you could use dbinspect CLI or enter in indexes.conf files or (easier) you can use the Distributed Monitoring Console.<BR /> There is a specific dashboard (Index Details: instance) to show all details about every index (Data Age vs Frozen Age, Index Usage, Home Path Usage, Cold Path Usage, retention, buckets...)</P> <P>About the location of logs in Splunk, you can find it in the same DMC dashboard below or in $SPLUNK_DB$ or in the indexes page.</P> <P>Bye.<BR /> Giuseppe</P> Fri, 10 Mar 2017 08:13:18 GMT gcusello 2017-03-10T08:13:18Z https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-notable-events-logs-and-how-to-know/m-p/344982#M63407 <P>Where does splunk store the notable events logs and how to know the retention period for the same?</P> Fri, 10 Mar 2017 07:33:17 GMT https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-notable-events-logs-and-how-to-know/m-p/344982#M63407 faisal_saifi 2017-03-10T07:33:17Z https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-notable-events-logs-and-how-to-know/m-p/344983#M63408 <P>Have you checked out dbinspect command? It gives info for various buckets in an index<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Dbinspect">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Dbinspect</A></P> Fri, 10 Mar 2017 07:49:01 GMT https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-notable-events-logs-and-how-to-know/m-p/344983#M63408 niketn 2017-03-10T07:49:01Z https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-notable-events-logs-and-how-to-know/m-p/344984#M63409 <P>Hi faisal_saifi,<BR /> you have many ways to have information (like retention period) about your indexes, you could use dbinspect CLI or enter in indexes.conf files or (easier) you can use the Distributed Monitoring Console.<BR /> There is a specific dashboard (Index Details: instance) to show all details about every index (Data Age vs Frozen Age, Index Usage, Home Path Usage, Cold Path Usage, retention, buckets...)</P> <P>About the location of logs in Splunk, you can find it in the same DMC dashboard below or in $SPLUNK_DB$ or in the indexes page.</P> <P>Bye.<BR /> Giuseppe</P> Fri, 10 Mar 2017 08:13:18 GMT https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-notable-events-logs-and-how-to-know/m-p/344984#M63409 gcusello 2017-03-10T08:13:18Z https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-notable-events-logs-and-how-to-know/m-p/344985#M63410 <P>Hi Giuseppe,<BR /> These are the indexes where collected logs stored. but i am unable to find the location where the data of notable events are getting stored. please let me know where these logs stored. whether it stored on search head itself or in any default index on indexer.</P> Fri, 10 Mar 2017 09:14:57 GMT https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-notable-events-logs-and-how-to-know/m-p/344985#M63410 faisal_saifi 2017-03-10T09:14:57Z https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-notable-events-logs-and-how-to-know/m-p/344986#M63411 <P>Hi Niketnilay,<BR /> These are the indexes where collected logs stored. but i am unable to find the location where the data of notable events are getting stored. please let me know where these logs stored. whether it stored on search head itself or in any default index on indexer.</P> Fri, 10 Mar 2017 09:15:47 GMT https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-notable-events-logs-and-how-to-know/m-p/344986#M63411 faisal_saifi 2017-03-10T09:15:47Z https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-notable-events-logs-and-how-to-know/m-p/344987#M63412 <P>Hi faisal_saifi,<BR /> Sorry but I don't understand what you mean with notable events:<BR /> All Splunk Data are usually stored on the indexes and indexes are on the Indexers.<BR /> Usually Search Heads logs are sent to indexers to have all logs on indexers.<BR /> Bye.<BR /> Giuseppe</P> Fri, 10 Mar 2017 10:30:37 GMT https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-notable-events-logs-and-how-to-know/m-p/344987#M63412 gcusello 2017-03-10T10:30:37Z https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-notable-events-logs-and-how-to-know/m-p/344988#M63413 <P>Are you referring to notable events generated by the Splunk App for Enterprise Security, or for those from the Splunk App for IT Service Service Intelligence (ITSI)? Please clarify.</P> <P>If it is neither, please describe what you mean by "notable events".</P> Fri, 10 Mar 2017 19:21:10 GMT https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-notable-events-logs-and-how-to-know/m-p/344988#M63413 s2_splunk 2017-03-10T19:21:10Z https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-notable-events-logs-and-how-to-know/m-p/344989#M63414 <P>Hi Niketnilay,<BR /> Yes you are absolutely right. I am talking about the notable events generated by the Splunk App for Enterprise Security based on the correlation rules created.</P> Mon, 13 Mar 2017 01:30:28 GMT https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-notable-events-logs-and-how-to-know/m-p/344989#M63414 faisal_saifi 2017-03-13T01:30:28Z https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-notable-events-logs-and-how-to-know/m-p/344990#M63415 <P>Hi Giuseppe,<BR /> I am talking about the notable events generated by the Splunk App for Enterprise Security based on the correlation rules created. Once the rules gets triggered, a notable event(Alert) generated in Enterprise Security App.</P> Mon, 13 Mar 2017 01:33:08 GMT https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-notable-events-logs-and-how-to-know/m-p/344990#M63415 faisal_saifi 2017-03-13T01:33:08Z https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-notable-events-logs-and-how-to-know/m-p/344991#M63416 <P>Ah, this was the misunderstanding!<BR /> I think that Notable events are alerts stored in savedsearches.conf file in ES App, but i'm not an expert in ES.<BR /> Bye.<BR /> Giuseppe</P> Mon, 13 Mar 2017 07:58:13 GMT https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-notable-events-logs-and-how-to-know/m-p/344991#M63416 gcusello 2017-03-13T07:58:13Z https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-notable-events-logs-and-how-to-know/m-p/344992#M63417 <P>This may help: <A href="http://dev.splunk.com/view/enterprise-security/SP-CAAAFBA">Notable Index</A></P> Mon, 13 Mar 2017 16:49:03 GMT https://community.splunk.com/t5/Getting-Data-In/Where-does-splunk-store-the-notable-events-logs-and-how-to-know/m-p/344992#M63417 s2_splunk 2017-03-13T16:49:03Z