Solved: How do I set the retention for logs in splunkd.log...

sympatiko · ‎07-21-2015

Hi splunkers,

I just want to keep the last 2 months / 60 days of my splunkd.log . Can I add it on logrotate.conf?

Thanks

jeffland · ‎07-21-2015

You could change the setting of the _internal index by adding these lines to your indexes.conf:

[_internal]
frozenTimePeriodInSecs = 5184000

This would keep everything in that index for longer than the usual month.

Alternatively, you could add a monitor to the splunkd.log to another index and keep those logs extra.

cbasta · ‎04-14-2018

Edit the log.conf in $SPLUNK_HOME/etc

The only issue is when you do an upgrade of Splunk, that file will get overwritten.

jeffland · ‎07-21-2015

You could change the setting of the _internal index by adding these lines to your indexes.conf:

[_internal]
frozenTimePeriodInSecs = 5184000

This would keep everything in that index for longer than the usual month.

Alternatively, you could add a monitor to the splunkd.log to another index and keep those logs extra.

How do I set the retention for logs in splunkd.log to 60 days?