Solved: Is there a way to keep specific logs for a longer ...

daniel_augustyn · ‎12-21-2015

Is there a way in Splunk to tag some specific logs and keep them for longer retention time? So for example, I want to tag several logs from firewall index, and I don't want these logs to be overwritten ever with new logs. How should I preserve these logs in Splunk, for example logs related to incidents, etc. Just the thoughts if Splunk has this feature?

woodcock · ‎12-22-2015

You can use collect to dump the ones that you would like to keep into a Summary Index and have a much longer retention period for those.

View solution in original post

woodcock · ‎12-22-2015

You can use collect to dump the ones that you would like to keep into a Summary Index and have a much longer retention period for those.

MuS · ‎12-21-2015

Hi daniel_augustyn,

Since retention is index based, it is not possible to do this in one or the same index.
But you can create the tags for those events http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/TagandaliasfieldvaluesinSplunkWeb and use the tags in a search in combination with collect http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Collect to add them to another indexer which will not expire nor will be overwritten.

Hope this helps ...

cheers, MuS

Is there a way to keep specific logs for a longer retention time for historical searches?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...