Security

how to limit one device 20MB logs data per day?

dikaye
Path Finder

Hi Sir,

how to setup a index policy to limit one device per day logs size?

for example, I want to limit a device 20MB logs data per day. when the hot bucket stages reachs 20MB during one day, it will auto roll to warm stages, then the logs exceed 20MB incoming will be droped.

if the hot bucket stages don't reach 20MB during one day, it also will auto roll to warm stages, then create other hot bucket which limit 20MB logs data on the next day.

thanks...

Tags (1)

nk-1
Path Finder

I think you'd need the application to be able to log to one of 2 separate log files, on demand.
Then, set up an alert (based on indexed volume for the day) to switch logging (via an alert-triggered script) to the log file that is not being indexed by Splunk.
At midnight daily, fire another alert that will switch logging back to the log file that is being indexed.

Some Java app servers can switch log4j logging levels on demand (via API) without a need to stop/start the app.
I do this for DEBUG-level logging to a logfile (6 of them) that is not being indexed, that rolls over every hour.
So I have the last 6 hours of logs, if I ever need to load any of them manually into Splunk for on-demand analysis of what just happened, without exhausting my daily indexing limit.

Now, I'm tempted to write/automate the script that will do the switch...

0 Karma

yannK
Splunk Employee
Splunk Employee

No such feature exists, why would you ever drop data ?
Oh wait, the license volume.

The only hard way I see, is to have a props/transforms that trash the events, that you activate manually with a script once a certain volume is reach, then removed every day at midnight.

0 Karma

genemats
Engager

Same question...probably a repost is needed

0 Karma

dikaye
Path Finder

seems no answer.

0 Karma

Branden
Builder

I like this question. Very curious to see the responses.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...