Subject: Trustar API : Data Retention Policy Inquiry
Dear Splunk Community,
We are currently utilizing your search_indicators API, as documented here: https://docs.trustar.co/api/v13/indicators/search_indicators.html.
While we understand that the API supports a maximum time range of 1 year per query, we require clarification on the overall data retention policy for indicators. I just want to know the total historical period for which indicator data is stored and retrievable via this API, regardless of the single query window limit?
Your insight into this would be greatly appreciated for our data strategy.
Other than the single query limit you mentioned, there are no publicly documented historic retention details regarding TruStar. I'd recommend reaching out to support and/or your Splunk account team who may be able to dig into this a little further for you and get proper confirmation/clarification.
🌟 Did this answer help you? If so, please consider:
Your feedback encourages the volunteers in this community to continue contributing
Hi @livehybrid ,
Yes, you've hit on my exact point.
I'm trying to determine the best way to contact support – specifically, if their assistance is limited to paying customers or if there's an avenue for the general public to inquire. This is precisely why I brought my question to the Splunk forum. If you have any information on how to reach the Splunk or TruSTAR technical teams, I would greatly appreciate your guidance.