Would these settings also have to be made if I set the retention period for this index to 1 day or possibly 1 week? ... View more

Hi Giuseppe, yep, I currently empty the index for the events using a very short retention time. I think it will stay that way. Other solutions like the KV Store don't really make much sense. Thanks for the nice exchange. Bye. ... View more

Hi Giuseppe, yes I understand how Splunk stores its data in the indexes. But when I run the scripted input every hour, it creates 24 entries for one device entry from the target system. But with Scripted Input I'm not just getting one entry back, I could be getting 200 entries back from the target system. And then 24 entries a day for 200 device entries is a lot, over a long period of time it takes a lot of space on the indexer. So I want to find a way to store the data from the scripted input on the indexer, but not store too many duplicates of the same device entries. FYI: With the Script for the Scripted Input I ask the API of an i-doit System, which is a Software for IT-Documentation to give me all of its stored device-entries. Thanks in advance. ... View more

Thanks for the answer. Currently I also store the output in an index, but since the scripted input is executed every hour and I don't want to have the same data stored in the index several times, I empty the index completely after every hour. But now I have the problem that it can happen that the API query does not work, which would mean that no data from the system queried via API is available in Splunk. What solution can you recommend for this problem? Thanks in advance. ... View more