Getting Data In

Where does splunk store the notable events logs and how to know the retention period for the same?

New Member

Where does splunk store the notable events logs and how to know the retention period for the same?

0 Karma

Splunk Employee
Splunk Employee

This may help: Notable Index

0 Karma

Splunk Employee
Splunk Employee

Are you referring to notable events generated by the Splunk App for Enterprise Security, or for those from the Splunk App for IT Service Service Intelligence (ITSI)? Please clarify.

If it is neither, please describe what you mean by "notable events".

0 Karma

New Member

Hi Niketnilay,
Yes you are absolutely right. I am talking about the notable events generated by the Splunk App for Enterprise Security based on the correlation rules created.

0 Karma

SplunkTrust
SplunkTrust

Hi faisal_saifi,
you have many ways to have information (like retention period) about your indexes, you could use dbinspect CLI or enter in indexes.conf files or (easier) you can use the Distributed Monitoring Console.
There is a specific dashboard (Index Details: instance) to show all details about every index (Data Age vs Frozen Age, Index Usage, Home Path Usage, Cold Path Usage, retention, buckets...)

About the location of logs in Splunk, you can find it in the same DMC dashboard below or in $SPLUNK_DB$ or in the indexes page.

Bye.
Giuseppe

0 Karma

New Member

Hi Giuseppe,
These are the indexes where collected logs stored. but i am unable to find the location where the data of notable events are getting stored. please let me know where these logs stored. whether it stored on search head itself or in any default index on indexer.

0 Karma

SplunkTrust
SplunkTrust

Hi faisal_saifi,
Sorry but I don't understand what you mean with notable events:
All Splunk Data are usually stored on the indexes and indexes are on the Indexers.
Usually Search Heads logs are sent to indexers to have all logs on indexers.
Bye.
Giuseppe

0 Karma

New Member

Hi Giuseppe,
I am talking about the notable events generated by the Splunk App for Enterprise Security based on the correlation rules created. Once the rules gets triggered, a notable event(Alert) generated in Enterprise Security App.

0 Karma

SplunkTrust
SplunkTrust

Ah, this was the misunderstanding!
I think that Notable events are alerts stored in savedsearches.conf file in ES App, but i'm not an expert in ES.
Bye.
Giuseppe

0 Karma

Legend

Have you checked out dbinspect command? It gives info for various buckets in an index
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Dbinspect

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

New Member

Hi Niketnilay,
These are the indexes where collected logs stored. but i am unable to find the location where the data of notable events are getting stored. please let me know where these logs stored. whether it stored on search head itself or in any default index on indexer.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!