Why are Unix sourcetypes unsearchable in Splunk be...

zijian · ‎07-21-2022

Hi all,

I found that searches in my unix index returns events only up to the past two months for a significant number of sourcetypes (bash_history, audit, secure, sudo logs).

Shouldn't the events be retained according to the retention period set using 'frozenTimePeriodInSecs'?

We set the period to 365 days.

Regards,

Zijian

gcusello · ‎07-21-2022

Hi @zijian,

if you have logs of arounf two months ago but you don't have logs ot today, probably means that you had a problem that blocked the log ingestions.

The retention is satisfied because you have logs of two months ago that aren't outside the retention period.

So I hint to check the log ingestions.

If instead the problem is that you haven't logs older than 2 months, I hint to see if there are more retention definitions for that index that override the correct one.

You can do this using btool (https://docs.splunk.com/Documentation/Splunk/9.0.0/Troubleshooting/Usebtooltotroubleshootconfigurati...).

Ciao.

Giuseppe

Why are Unix sourcetypes unsearchable in Splunk beyond past two months

index

Linux

sourcetype

Can’t make it to .conf25? Join us online!

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Customer success is front and center at .conf25

Are you a member of the Splunk Community?