Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Changing the Searchable retention of index- Is there a way to pull data earlier than the 90 day mark?

neerajs_81
Builder
‎03-08-2022 11:32 PM

Hello All,   

One of our indexes ( Name: okta ) has a searchable retention period of 90days as shown in the screenshot.

Is there a way to pull data earlier than the 90 day mark ? We want to go back upto last 1 year.    If i change this value to 365 days will it me search thru the old data ( older than 90d ) ? OR is there something more that needs to be done.. ? Thanks in advance

neerajs_81_0-1646811111612.png

 

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

SanjayReddy
SplunkTrust
SplunkTrust
‎03-09-2022 12:58 AM

Hi @neerajs_81 

you can not  search the older data , over the retention time mentioned , here you can not search for  more than 90 days, but if dymaic data srotage  mentioned than you can archive the data for later usage 

SanjayReddy_0-1646816065203.png
please refer to follwing URL for archiving the data
https://docs.splunk.com/Documentation/SplunkCloud/8.2.2112/Admin/ManageIndexes 

https://docs.splunk.com/Documentation/SplunkCloud/latest/Admin/DataSelfStorage
https://docs.splunk.com/Documentation/SplunkCloud/latest/Admin/DataArchiver 

View solution in original post

Reply
Solved! Jump to solution
Solution

SanjayReddy
SplunkTrust
SplunkTrust
‎03-09-2022 12:58 AM

Hi @neerajs_81 

you can not  search the older data , over the retention time mentioned , here you can not search for  more than 90 days, but if dymaic data srotage  mentioned than you can archive the data for later usage 

SanjayReddy_0-1646816065203.png
please refer to follwing URL for archiving the data
https://docs.splunk.com/Documentation/SplunkCloud/8.2.2112/Admin/ManageIndexes 

https://docs.splunk.com/Documentation/SplunkCloud/latest/Admin/DataSelfStorage
https://docs.splunk.com/Documentation/SplunkCloud/latest/Admin/DataArchiver 

Reply
Solved! Jump to solution

neerajs_81
Builder
‎03-09-2022 02:03 AM

Thanks for responding.   We do not have any Self Storage or Dynamic Storage configured for that index at the moment.  So i assuming, the older data is deleted for good, is that correct ?

0 Karma
Reply
Solved! Jump to solution

SanjayReddy
SplunkTrust
SplunkTrust
‎03-09-2022 02:34 AM

Hi @neerajs_81 
yes , you are right, data will be deleted post retnetion time

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...