Splunk Enterprise

Will my ITSI setting work- itsi_notable_event_retention.conf?

abhisplunk1
Explorer

does setting the following configuration in itsi_notable_event_retention.conf will send the events if limit is reached before the specified time period. For example if the event object count exceed 500000 before the retentiontime period will the retention object go to archive?

 

[itsi_notable_group_user]
# Default is one year
retentionTimeInSec = 31536000
retentionObjectCount = 500000
disabled = 0
object_type = notable_event_group

 

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...