Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Changing the Searchable retention of index- Is there a way to pull data earlier than the 90 day mark?

neerajs_81
Builder
‎03-08-2022 11:32 PM

Hello All,   

One of our indexes ( Name: okta ) has a searchable retention period of 90days as shown in the screenshot.

Is there a way to pull data earlier than the 90 day mark ? We want to go back upto last 1 year.    If i change this value to 365 days will it me search thru the old data ( older than 90d ) ? OR is there something more that needs to be done.. ? Thanks in advance

neerajs_81_0-1646811111612.png

 

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

SanjayReddy
Motivator
‎03-09-2022 12:58 AM

Hi @neerajs_81 

you can not  search the older data , over the retention time mentioned , here you can not search for  more than 90 days, but if dymaic data srotage  mentioned than you can archive the data for later usage 

SanjayReddy_0-1646816065203.png
please refer to follwing URL for archiving the data
https://docs.splunk.com/Documentation/SplunkCloud/8.2.2112/Admin/ManageIndexes 

https://docs.splunk.com/Documentation/SplunkCloud/latest/Admin/DataSelfStorage
https://docs.splunk.com/Documentation/SplunkCloud/latest/Admin/DataArchiver 

View solution in original post

Reply
Solved! Jump to solution
Solution

SanjayReddy
Motivator
‎03-09-2022 12:58 AM

Hi @neerajs_81 

you can not  search the older data , over the retention time mentioned , here you can not search for  more than 90 days, but if dymaic data srotage  mentioned than you can archive the data for later usage 

SanjayReddy_0-1646816065203.png
please refer to follwing URL for archiving the data
https://docs.splunk.com/Documentation/SplunkCloud/8.2.2112/Admin/ManageIndexes 

https://docs.splunk.com/Documentation/SplunkCloud/latest/Admin/DataSelfStorage
https://docs.splunk.com/Documentation/SplunkCloud/latest/Admin/DataArchiver 

Reply
Solved! Jump to solution

neerajs_81
Builder
‎03-09-2022 02:03 AM

Thanks for responding.   We do not have any Self Storage or Dynamic Storage configured for that index at the moment.  So i assuming, the older data is deleted for good, is that correct ?

0 Karma
Reply
Solved! Jump to solution

SanjayReddy
Motivator
‎03-09-2022 02:34 AM

Hi @neerajs_81 
yes , you are right, data will be deleted post retnetion time

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...