Hi
I configured an archiving policy and I would like to notice when logs are archived. Is there any way to do so? I guess if an archive job is logged as system log, I can detect it in _internal index.
Thank you
Yes, the _internal log is your friend in this case. This search should get you started. Note that Splunk freezes/archives buckets rather than logs. Any given log file may be in multiple buckets and a bucket may contain data from multiple sources. It depends on your configuration.
index=_internal BucketMover component=BucketMover "freeze succeeded"
Thank you!
Yes, the _internal log is your friend in this case. This search should get you started. Note that Splunk freezes/archives buckets rather than logs. Any given log file may be in multiple buckets and a bucket may contain data from multiple sources. It depends on your configuration.
index=_internal BucketMover component=BucketMover "freeze succeeded"