Since 5th December 2012 , I am using Splunk on windows OS.
For audit purpose i need the audit.log files from December 2012 to Till date .
But, I could found audit.log files available only for this June month only.
Whether the old audit.log will be archived somewhere? or deleted ?
Where can i get the configurations for log files ?
Kindly please help me in this.
audit.log
itself is rotated on a regular basis, but its contents are indexed as well in Splunk's index _audit
.
audit.log
itself is rotated on a regular basis, but its contents are indexed as well in Splunk's index _audit
.
You might be out of luck for the _internal index it is not kept for a long time. You can run the following command and check the frozenTimePeriodInSecs (and override it if needed for the future): $SPLUNK_HOME/bin/splunk btool indexes list _internal
Thanks Ayn. Does this same applies to Splunkd.log ? Like audit.log , splunkd.log gets indexed in _internal index. But, here only last 2 months data available ?How can i get older data ?