How to extend Splunk log retention to forever?

csahoo — Fri, 13 May 2022 16:12:24 GMT

We have a service for which we have splunk dashboard is in place and right now the dashboard have the limitation that it can populate based on 3 month old data due to log retention policy , but right now there is a business requirement that the dashboard should populate based on forever data.

so here i want to understand what can be efficient and economical way to extend the log retention to forever in Splunk.

Re: Extend Splunk log retention to forever

gcusello — Fri, 13 May 2022 08:03:33 GMT

Hi @csahoo,

for my expertience there isn't any requirement from regulations or logic to have a forever retention on your logs!

You should understand if there are regulations requirements that usually are the drivers in retention policies: e.g. in Italy there's a regulation that requires 6 months or retention for system access logs.

About the logs not under a regulation, you could maintain that for three, six or twelve months, more I think that it's completely unuseful.

Eventually, you could maintain some statistics for two or three years, but not full logs.

The reason of this is obviously that logs maintaining requires storage and it cost, especially if you have a great daily volume.

I hope to be useful in my dissertation on maximum systems, at the end, try to have the less quantity of logs as possible to maintain.

Ciao.

Giuseppe

topic How to extend Splunk log retention to forever? in Splunk Search

How to extend Splunk log retention to forever?

Re: Extend Splunk log retention to forever