https://community.splunk.com/t5/Getting-Data-In/audit-index-data-retention-in-Splunk-cluster/m-p/468961#M80685 <P>Hi,</P> <P>I have a Splunk cluster that consists of:<BR /> - 1 cluster master<BR /> - 3 indexers<BR /> - 1 search head</P> <P>The indexes at the search head are configured to be forwarded to the indexers.</P> <P>I would like to set a retention period shorter than the 6-year default to the _audit index in this Splunk cluster.</P> <P>Normally, to deploy indexes to the indexers, the procedure I use is to create an app with an indexes.conf inside the cluster master's master-apps directory, then push the configuration. However, I'm unsure if this procedure would work for _audit.</P> <P>How should I go about changing the retention period of the _audit index in all the indexers?</P> Sun, 22 Dec 2019 22:06:58 GMT pcsegal1 2019-12-22T22:06:58Z https://community.splunk.com/t5/Getting-Data-In/audit-index-data-retention-in-Splunk-cluster/m-p/468961#M80685 <P>Hi,</P> <P>I have a Splunk cluster that consists of:<BR /> - 1 cluster master<BR /> - 3 indexers<BR /> - 1 search head</P> <P>The indexes at the search head are configured to be forwarded to the indexers.</P> <P>I would like to set a retention period shorter than the 6-year default to the _audit index in this Splunk cluster.</P> <P>Normally, to deploy indexes to the indexers, the procedure I use is to create an app with an indexes.conf inside the cluster master's master-apps directory, then push the configuration. However, I'm unsure if this procedure would work for _audit.</P> <P>How should I go about changing the retention period of the _audit index in all the indexers?</P> Sun, 22 Dec 2019 22:06:58 GMT https://community.splunk.com/t5/Getting-Data-In/audit-index-data-retention-in-Splunk-cluster/m-p/468961#M80685 pcsegal1 2019-12-22T22:06:58Z https://community.splunk.com/t5/Getting-Data-In/audit-index-data-retention-in-Splunk-cluster/m-p/468962#M80686 <P>HI @pcsegal1,<BR /> for my experience, you could have two different approaches, both correct and efficient:</P> <UL> <LI>you could have all the indexes in a dedicated TA (called e.g. <CODE>TA_Indexers</CODE>) located in <CODE>%SPLUNK_HOME/etc/master-apps</CODE>, that contains indexes.conf and eventually props.conf and transforms.conf of all your apps , then put in <CODE>%SPLUNK_HOME/etc/master-apps/_cluster/local</CODE> indexes.conf for internal indexes (as _audit); in this way you divide physically and concettually your configuration files on Indexers Cluster;</LI> <LI>in the above TA_Indexers, put all the conf files, both of internal and external indexes.</LI> </UL> <P>I prefer the first one, but also the second is correct.</P> <P>In both cases, remember to add comments to each stanza.</P> <P>Also the _audit index and the other internal indexes can be managed in this way.</P> <P>Only one attention: choose the correct retention period related with your security policies and your regulation (e.g. in Italy audit logs must be archived at least for six months).</P> <P>Ciao and Merry Christmas.<BR /> Giuseppe</P> Mon, 23 Dec 2019 08:05:06 GMT https://community.splunk.com/t5/Getting-Data-In/audit-index-data-retention-in-Splunk-cluster/m-p/468962#M80686 gcusello 2019-12-23T08:05:06Z https://community.splunk.com/t5/Getting-Data-In/audit-index-data-retention-in-Splunk-cluster/m-p/468963#M80687 <P>I applied your first approach (put in <CODE>%SPLUNK_HOME/etc/master-apps/_cluster/local</CODE> an <CODE>indexes.conf</CODE> file for the <CODE>_audit</CODE> index) and it worked as expected. Thank you and Merry Christmas.</P> Mon, 23 Dec 2019 21:31:38 GMT https://community.splunk.com/t5/Getting-Data-In/audit-index-data-retention-in-Splunk-cluster/m-p/468963#M80687 pcsegal1 2019-12-23T21:31:38Z