Hi All, I have tried looking over the documentation for this, but I am super confused. And really struggling to wrap my head around this. I have an environment where Splunk is ingesting syslog from 2 firewalls. The logs are only audit / management related, and these need to be sent to a sperate server for compliance (hence splunk). I  want to configure a retention policy where this data is deleted after 1 year, as that is the specific requirement. From what i can tell, i just need to add the "frozentimeinseconds" line to the index conf file for the "main" index (as this is where the events are going) Current ingestion is ~150,000 events per day. And daily ingestion is ~30-35MB.However, this is subject to change in the future as more firewalls come online etc.. There is plenty of storage available. However the requirement is just 1 year of searchable data. But I keep seeing things about hot/warm/cold/frozen etc.. and i just dont get it. All thats needed is 1 year of searchable data, anything older than (time.now() - 365 days) can be deleted.   Can someone please assist me with what i need to do to make this work

Hello,   I have a CSV file with many MANY columns (in my case there are 7334 columns with an average length of 145-146 chars each. This is a telemetry file exported from some networking equipment and this is just part of the exported data... The file has over 1000 data rows but I'm just trying to add 5 rows at the moment. Trying to create an input for the file fails when adding more that 4175 columns with the following error: "Accumulated a line of 512256 bytes while reading a structured header, giving up parsing header" I have already tried to increase all TRUNCATION settings to well above this value (several orders of magnitude) as well as the "[kv]" limits in the "limits.conf" file. Nothing helps. I searched the forum here but couldn't find anything relevant. A Google search yielded two results, one where people just decided that headers that are too long are the user's problem and did not offer any resolution (not even to say it's not possible). The other result just went unanswered. Couldn't find anything relevant in the Splunk online documentation or REST API specifications either. I will also mention that processing the full data file with Python using either the standard csv parser or Pandas works just fine and very quickly. The total file size is ~92MB which is not big at all IMHO. My Splunk info: Version:9.1.2 Build:b6b9c8185839 Server:834f30dfffad Products:hadoop Needless to say the web frontend crashes entirely when I try to create the input so I'm doing everything via the Python SDK now. Any ideas if this can be fixed to I can add all of my data?

I have this query in my report scuedhled to run every week, but results are for all time, how can i fix ? index=dlp user!=N/A threat_type=OUTGOING_EMAIL signature="EP*block" earliest=-1w@w latest=now | stats count by user _time | lookup AD_enrich.csv user OUTPUTNEW userPrincipalName AS Mail, displayName AS FullName, wwwHomePage AS ComputerName, mobile AS Mobile, description AS Department, ManagerName, ManagerLastName | table _time, Users, FullName, Mail, Mobile, ComputerName, Department, ManagerName, ManagerLastName, count