Splunk Cloud Platform

How to change the retention of policy of metadata logs based on region

Splunkerninja
Path Finder

We are indexing email metadata logs from various regions (china,US,Mexico,Italy) in Splunk Cloud.

The retention policy of these metadata logs is 270 days. We want to change the retention policy of few of the regions. For example, we want to store China metadata logs only for 30 days and all other logs for 270 days.

How to achieve this? 

Appreciate any kind of input here.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Splunkerninja ,

the only way to have different retention policies is to store logs in different indexes.

Usually you choose to have different indexes based on two parameters: retention policy and Access Grants.

You cannot have different retention policies on data in the same index.

This means that you have to create a rule on your Indexers or (if present) on Heavy Forwarders to override the default index value.

Ciao.

Giuseppe

Splunkerninja
Path Finder

@gcusello @richgalloway @ITWhisperer  ++ ++

 

Any suggestions please?

0 Karma
Get Updates on the Splunk Community!

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...