How to increase logs retention period?

islam · ‎07-16-2020

Hi,

we are asked to increase our retention period of splunk logs to 1 year.

we need to put our data to be searchable for 1 year.

i'm very confused about hot, warm and cold data, are all of them is searchable or cold data is not searchable?

how can we configure this retenion period?

isoutamo · ‎07-16-2020

Hi

I hope that this will clarify it. https://sideviewapps.com/apps/cisco-cdr-reporting-and-analytics/documentation/administrative-concept...
r. Ismo

islam · ‎07-18-2020

Thank you so much, it's a very useful article.

also i have one question: the values of frozenTimePeriodInSecs and maxTotalDataSizeMB should be put under every index or just one time at the beginning of indexes.cong file ?

isoutamo · ‎07-19-2020

If those are same for all your indexes then you can put those on default stanza and if not then you should add those to the individual indexes.

islam · ‎07-20-2020

can i put specific period for hot and cold data, like hot data to be 6 months and cold data to be 6 moths also ?

isoutamo · ‎07-20-2020

No, only cold period can defined as seconds. Hot/warm is defined by bucket count and/or size of homePath.
r. Ismo

How to increase logs retention period?

index

indexer

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!