Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Audit index clean up

rranjan2020
New Member
‎12-16-2020 12:26 AM

Hello, I am trying to delete data from _audit index. Currently it contains last 6 years data and occupying lot of space. I modified the $SPLUNK_HOME/etc/system/default/indexes.conf and added below under _audit stanza:

 

 

[_audit]
FrozenTimePeriodInSecs = 3153600

 

 

I restarted the splunk after making the changes. But I still see older data under Audit. Can you please help in finding what is wrong here? Do I need to make any additional changes or invoke anything to reflect the changes?

Thanks in advance for your help.

Labels (3)
0 Karma
Reply

saravanan90
Contributor
‎12-16-2020 04:51 AM

It might be configured in some other apps. Please check the value through btool.

./splunk btool indexes list _audit --debug | grep frozenTimePeriodInSecs

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...