Issue : In the _internal logs we have logs from all Splunk UF and Splunk Enterprise components. The _internal logs from Splunk UF we do not want for more than 15 days. But _internal logs from Splunk Enterprise components such as CM/LM/MC, IDX, SH, SHC, DS, HF we want to store for longer duration for analysis purpose.
Now if we send _internal logs of Splunk enterprise component to different index then a lot of out-of-box searches in MC will not run as it should be. Even the inbuilt license query will be effected.
We have tried using mcollect to send the _internal logs to another index but then sourcetype is changed to Stash. Please let me know if there is a way to do it??
... View more