All Apps and Add-ons

Increase the retention on Splunk license usage log

sugarmanhk
New Member

Hi Support,

Our customer is WFAO and they are in cc list.
We found that the license usage log will be truncated after 30 days even we the dish space of the index “_internal” were using under 30%
alt text
Our questions is that how can we increase the retention period of the license usage log? Is it the same that we set the " frozenTimePeriodInSecs” under system/local/indexes.conf [_internal]? Or there is any other special settings?

0 Karma
1 Solution

adonio
Ultra Champion

hello there,

out of the box, the retention for internal indexes are 30 days (2592000 seconds)
$SPLUNK_HOME/etc/system/default/indexes.conf

[_internal]
homePath   = $SPLUNK_DB\_internaldb\db
coldPath   = $SPLUNK_DB\_internaldb\colddb
thawedPath = $SPLUNK_DB\_internaldb\thaweddb
tstatsHomePath = volume:_splunk_summaries\_internaldb\datamodel_summary
maxDataSize = 1000
maxHotSpanSecs = 432000
frozenTimePeriodInSecs = 2592000

you can increase the retention or, like i have seen many times, write a summary search that capture the daily license metrics you are interested and you can have many years retention for very little amount of disk.
also searches and calculations will run faster

hope it helps

View solution in original post

adonio
Ultra Champion

hello there,

out of the box, the retention for internal indexes are 30 days (2592000 seconds)
$SPLUNK_HOME/etc/system/default/indexes.conf

[_internal]
homePath   = $SPLUNK_DB\_internaldb\db
coldPath   = $SPLUNK_DB\_internaldb\colddb
thawedPath = $SPLUNK_DB\_internaldb\thaweddb
tstatsHomePath = volume:_splunk_summaries\_internaldb\datamodel_summary
maxDataSize = 1000
maxHotSpanSecs = 432000
frozenTimePeriodInSecs = 2592000

you can increase the retention or, like i have seen many times, write a summary search that capture the daily license metrics you are interested and you can have many years retention for very little amount of disk.
also searches and calculations will run faster

hope it helps

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...