Getting Data In

Where does splunk store the notable events logs and how to know the retention period for the same?

faisal_saifi
New Member

Where does splunk store the notable events logs and how to know the retention period for the same?

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

This may help: Notable Index

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Are you referring to notable events generated by the Splunk App for Enterprise Security, or for those from the Splunk App for IT Service Service Intelligence (ITSI)? Please clarify.

If it is neither, please describe what you mean by "notable events".

0 Karma

faisal_saifi
New Member

Hi Niketnilay,
Yes you are absolutely right. I am talking about the notable events generated by the Splunk App for Enterprise Security based on the correlation rules created.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi faisal_saifi,
you have many ways to have information (like retention period) about your indexes, you could use dbinspect CLI or enter in indexes.conf files or (easier) you can use the Distributed Monitoring Console.
There is a specific dashboard (Index Details: instance) to show all details about every index (Data Age vs Frozen Age, Index Usage, Home Path Usage, Cold Path Usage, retention, buckets...)

About the location of logs in Splunk, you can find it in the same DMC dashboard below or in $SPLUNK_DB$ or in the indexes page.

Bye.
Giuseppe

0 Karma

faisal_saifi
New Member

Hi Giuseppe,
These are the indexes where collected logs stored. but i am unable to find the location where the data of notable events are getting stored. please let me know where these logs stored. whether it stored on search head itself or in any default index on indexer.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi faisal_saifi,
Sorry but I don't understand what you mean with notable events:
All Splunk Data are usually stored on the indexes and indexes are on the Indexers.
Usually Search Heads logs are sent to indexers to have all logs on indexers.
Bye.
Giuseppe

0 Karma

faisal_saifi
New Member

Hi Giuseppe,
I am talking about the notable events generated by the Splunk App for Enterprise Security based on the correlation rules created. Once the rules gets triggered, a notable event(Alert) generated in Enterprise Security App.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Ah, this was the misunderstanding!
I think that Notable events are alerts stored in savedsearches.conf file in ES App, but i'm not an expert in ES.
Bye.
Giuseppe

0 Karma

niketn
Legend

Have you checked out dbinspect command? It gives info for various buckets in an index
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Dbinspect

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

faisal_saifi
New Member

Hi Niketnilay,
These are the indexes where collected logs stored. but i am unable to find the location where the data of notable events are getting stored. please let me know where these logs stored. whether it stored on search head itself or in any default index on indexer.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...