Dear SPLUNK community,
I have 200 servers and index metrics such as CPU, disk, memory, etc. on a per minute interval.
For space constraints, the retention limit on those indexes is 1 week. However, I wish to do historical search over let's say past 1 year data.
Is it possible to run a search to calculate the avg of those metrics by server daily, and store in another index? By doing this, I could have the retention on this index as 1 year as that would take much less space?
Thank you!
What you are describing is called a Summary Index
and now that you know the term you will be able to find all you need with a simple web search.
What you are describing is called a Summary Index
and now that you know the term you will be able to find all you need with a simple web search.