Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Precedence of log retention configuration

ateesh
Observer
‎04-09-2021 11:54 PM

Hi Team,

Our Splunk License is going to get expired and we are working to get a new license .Our current environment is a clustered one with 12 indexers ,1 SH ,1 CM and 1 DS . However we have decided to stop the ingestion of data and would like to keep Splunk intact only for searching of the already indexed data . As a result we are planning to move to Free-license for time being . We do understand in free license clustered model wont work and each splunk instance become standalone but we are okay to perform the search on individual indexer if required . However our concern is the log retention configuration is currently placed in the following directory in all of the indexers that is /files0/splunk/etc/Master-app /_cluster/local/indexer.conf , will this still have higher precedence over /files0/splunk/etc/system/default/indexer.conf or do we need to make changes ?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...