Solved: For how many days we can get the audit.log - in sp...

chimbudp · ‎06-21-2013

Since 5th December 2012 , I am using Splunk on windows OS.
For audit purpose i need the audit.log files from December 2012 to Till date .
But, I could found audit.log files available only for this June month only.
Whether the old audit.log will be archived somewhere? or deleted ?
Where can i get the configurations for log files ?

Kindly please help me in this.

Ayn · ‎06-21-2013

audit.log itself is rotated on a regular basis, but its contents are indexed as well in Splunk's index _audit.

View solution in original post

Ayn · ‎06-21-2013

audit.log itself is rotated on a regular basis, but its contents are indexed as well in Splunk's index _audit.

chris · ‎06-22-2013

You might be out of luck for the _internal index it is not kept for a long time. You can run the following command and check the frozenTimePeriodInSecs (and override it if needed for the future): $SPLUNK_HOME/bin/splunk btool indexes list _internal

chimbudp · ‎06-21-2013

Thanks Ayn. Does this same applies to Splunkd.log ? Like audit.log , splunkd.log gets indexed in _internal index. But, here only last 2 months data available ?How can i get older data ?

For how many days we can get the audit.log - in splunk ?

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Introducing Edge Processor: Next Gen Data Transformation

Take the 2021 Splunk Career Survey for $50 in Amazon Cash