Monitoring Splunk

How do I set the retention for logs in splunkd.log to 60 days?

sympatiko
Communicator

Hi splunkers,

I just want to keep the last 2 months / 60 days of my splunkd.log . Can I add it on logrotate.conf?

Thanks

0 Karma
1 Solution

jeffland
SplunkTrust
SplunkTrust

You could change the setting of the _internal index by adding these lines to your indexes.conf:

[_internal]
frozenTimePeriodInSecs = 5184000

This would keep everything in that index for longer than the usual month.

Alternatively, you could add a monitor to the splunkd.log to another index and keep those logs extra.

View solution in original post

cbasta
New Member

Edit the log.conf in $SPLUNK_HOME/etc

The only issue is when you do an upgrade of Splunk, that file will get overwritten.

0 Karma

jeffland
SplunkTrust
SplunkTrust

You could change the setting of the _internal index by adding these lines to your indexes.conf:

[_internal]
frozenTimePeriodInSecs = 5184000

This would keep everything in that index for longer than the usual month.

Alternatively, you could add a monitor to the splunkd.log to another index and keep those logs extra.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...