Where does splunk store the notable events logs and how to know the retention period for the same?
This may help: Notable Index
Are you referring to notable events generated by the Splunk App for Enterprise Security, or for those from the Splunk App for IT Service Service Intelligence (ITSI)? Please clarify.
If it is neither, please describe what you mean by "notable events".
Hi Niketnilay,
Yes you are absolutely right. I am talking about the notable events generated by the Splunk App for Enterprise Security based on the correlation rules created.
Hi faisal_saifi,
you have many ways to have information (like retention period) about your indexes, you could use dbinspect CLI or enter in indexes.conf files or (easier) you can use the Distributed Monitoring Console.
There is a specific dashboard (Index Details: instance) to show all details about every index (Data Age vs Frozen Age, Index Usage, Home Path Usage, Cold Path Usage, retention, buckets...)
About the location of logs in Splunk, you can find it in the same DMC dashboard below or in $SPLUNK_DB$ or in the indexes page.
Bye.
Giuseppe
Hi Giuseppe,
These are the indexes where collected logs stored. but i am unable to find the location where the data of notable events are getting stored. please let me know where these logs stored. whether it stored on search head itself or in any default index on indexer.
Hi faisal_saifi,
Sorry but I don't understand what you mean with notable events:
All Splunk Data are usually stored on the indexes and indexes are on the Indexers.
Usually Search Heads logs are sent to indexers to have all logs on indexers.
Bye.
Giuseppe
Hi Giuseppe,
I am talking about the notable events generated by the Splunk App for Enterprise Security based on the correlation rules created. Once the rules gets triggered, a notable event(Alert) generated in Enterprise Security App.
Ah, this was the misunderstanding!
I think that Notable events are alerts stored in savedsearches.conf file in ES App, but i'm not an expert in ES.
Bye.
Giuseppe
Have you checked out dbinspect command? It gives info for various buckets in an index
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Dbinspect
Hi Niketnilay,
These are the indexes where collected logs stored. but i am unable to find the location where the data of notable events are getting stored. please let me know where these logs stored. whether it stored on search head itself or in any default index on indexer.