Solved: For how many days we can get the audit.log - in sp...

chimbudp · ‎06-21-2013

Since 5th December 2012 , I am using Splunk on windows OS.
For audit purpose i need the audit.log files from December 2012 to Till date .
But, I could found audit.log files available only for this June month only.
Whether the old audit.log will be archived somewhere? or deleted ?
Where can i get the configurations for log files ?

Kindly please help me in this.

Ayn · ‎06-21-2013

audit.log itself is rotated on a regular basis, but its contents are indexed as well in Splunk's index _audit.

View solution in original post

Ayn · ‎06-21-2013

audit.log itself is rotated on a regular basis, but its contents are indexed as well in Splunk's index _audit.

chris · ‎06-22-2013

You might be out of luck for the _internal index it is not kept for a long time. You can run the following command and check the frozenTimePeriodInSecs (and override it if needed for the future): $SPLUNK_HOME/bin/splunk btool indexes list _internal

chimbudp · ‎06-21-2013

Thanks Ayn. Does this same applies to Splunkd.log ? Like audit.log , splunkd.log gets indexed in _internal index. But, here only last 2 months data available ?How can i get older data ?

For how many days we can get the audit.log - in splunk ?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor