Is there a way in Splunk to tag some specific logs and keep them for longer retention time? So for example, I want to tag several logs from firewall index, and I don't want these logs to be overwritten ever with new logs. How should I preserve these logs in Splunk, for example logs related to incidents, etc. Just the thoughts if Splunk has this feature?
Since retention is index based, it is not possible to do this in one or the same index.
But you can create the tags for those events http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/TagandaliasfieldvaluesinSplunkWeb and use the tags in a search in combination with
collect http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Collect to add them to another indexer which will not expire nor will be overwritten.
Hope this helps ...