I've studied that Splunk is capable of retenting the original logs feed in to it, also audit the changes if any done to those original logs. Is this correct?
If yes, I could not find the related docs to configure so. I am running Splunk 4.2 free version. I need the original logs for audit purpose.Can someone help me in this.. Thanks in advance
Hello MW, Thank you for the valuable answer. With regards to my query, i can see that this is possible only in licensed version-is that true? if not then please guide me in setting up the retention policy