Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Cloud DDAA

splunkcol
Builder
‎05-05-2022 04:20 PM

Sorry for the bad translation.

I have a Cloud client.

The license is 50GB by day

Additional DDAA has been contracted about what is not very clear to me, the shared documentation seems to be outdated or not available.

https://docs.splunk.com/Documentation/SplunkCloud/8.0.2007/User/DataArchiver

https://docs.splunk.com/Documentation/SplunkCloud/8.0.2007/Service/SplunkCloudservice#Storage

https://docs.splunk.com/Documentation/SplunkCloud/8.0.2007/Service/SplunkCloudservice#Search

splunkcol_0-1651792160557.png

When I go to "Settings" - "Indexes" I can see the indexes used by this client and the others that are internal to splunk from what I see.

 

I see that one of the indexes has already reached the maximum size of 500GB and I don't know if it has the DDAA active.

splunkcol_1-1651792240438.png

According to this image I understand that the DDAA is active? I must do something?

I am worried if information is being lost since the client needs to retain that data for a long time

splunkcol_2-1651792407010.png

 

 

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-05-2022 05:36 PM

Once DDAA is activated for an index, there is nothing more you need to do.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-12-2023 09:47 AM

@splunkcol There have been OOB conversations lately about some confusion over the DDAA period.  It's common (and reasonable) to think the Searchable Retention and the Archive Retention are separate measurements, but that is not the case.  As the text under Archive Retention says, the number includes the time the data spent as Searchable.  IOW, the settings shown will result in the data being frozen after 365 days and not archived.  To archive data for 365 days after it's been searchable for 365 days, set DDAA to 730.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-05-2022 05:36 PM

Once DDAA is activated for an index, there is nothing more you need to do.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

New This Month - Observability Updates Give Extended Visibility and Improve User ...

This month is a collection of special news! From Magic Quadrant updates to AppDynamics integrations to ...

Intro to Splunk Synthetic Monitoring

In our last post, we mentioned that the 3 key pieces of observability – metrics, logs, and traces – provide ...