Solved: help to improve disk quota

jip31 · ‎02-07-2022

Hi

I use a search wich is enough verbose because it queries on system events base on different tokens

By default all these tokens are put on "*"

index=toto sourcetype="system" site="$Site$" type=$type$ name="$name$"

I would like to know if there is a solution to reduce the disk quota and the number of events without playing with the timepicker or without playing with tokens?

thanks

ITWhisperer · ‎02-07-2022

What do you mean by disk quota?

If this is to do with the amount of data returned by the primary search, apart from modifying the search criteria, e.g. earliest/latest, and field-based filters (with or without tokens), how else do you imagine this might be specified?

Or do you want to increase the amount of space a user can use?

View solution in original post

ITWhisperer · ‎02-07-2022

What do you mean by disk quota?

If this is to do with the amount of data returned by the primary search, apart from modifying the search criteria, e.g. earliest/latest, and field-based filters (with or without tokens), how else do you imagine this might be specified?

Or do you want to increase the amount of space a user can use?

jip31 · ‎02-07-2022

I mean quoto disk in the task manager

it was just a question about hypothetic interesting trick

so I consider there nothing else about timepicker and filtering

help to improve disk quota

other

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio