rranjan2020

Activity Feed

Tagged Audit index clean up on Monitoring Splunk. ‎12-16-2020 01:19 AM
Tagged Audit index clean up on Monitoring Splunk. ‎12-16-2020 01:19 AM
Tagged Audit index clean up on Monitoring Splunk. ‎12-16-2020 01:19 AM
Tagged Audit index clean up on Monitoring Splunk. ‎12-16-2020 01:17 AM
Tagged Audit index clean up on Monitoring Splunk. ‎12-16-2020 01:17 AM
Posted Audit index clean up on Monitoring Splunk. ‎12-16-2020 12:26 AM

Topics I've Started

Subject

Karma

Author

Audit index clean up

Hello, I am trying to delete data from _audit index. Currently it contains last 6 years data and occupying lot of space. I modified the $SPLUNK_HOME/etc/system/default/indexes.conf and added below under _audit stanza: [_audit] FrozenTimePeriodInSecs = 3153600 I restarted the splunk after making the changes. But I still see older data under Audit. Can you please help in finding what is wrong here? Do I need to make any additional changes or invoke anything to reflect the changes? Thanks in advance for your help.

Posts	1
Solutions	0
Karma Given	0
Karma Received	0
Member Since	‎12-16-2020

Online Status	Offline
Date Last Visited	‎12-16-2020 12:21 AM