cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
jbates58
Observer
Member since: ‎01-14-2024
‎01-14-2024
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎01-14-2024
Activity Feed
Topics I've Started
View All

Re: retention policy

by in Getting Data In
‎01-14-2024 06:02 PM
‎01-14-2024 06:02 PM
Here is the contents of that page. I have redacted out a little bit of info relating to the environment.       ... View more

retention policy

by in Getting Data In
‎01-14-2024 04:05 PM
‎01-14-2024 04:05 PM
Hi All, I have tried looking over the documentation for this, but I am super confused. And really struggling to wrap my head around this. I have an environment where Splunk is ingesting syslog from 2 firewalls. The logs are only audit / management related, and these need to be sent to a sperate server for compliance (hence splunk). I  want to configure a retention policy where this data is deleted after 1 year, as that is the specific requirement. From what i can tell, i just need to add the "frozentimeinseconds" line to the index conf file for the "main" index (as this is where the events are going) Current ingestion is ~150,000 events per day. And daily ingestion is ~30-35MB.However, this is subject to change in the future as more firewalls come online etc.. There is plenty of storage available. However the requirement is just 1 year of searchable data. But I keep seeing things about hot/warm/cold/frozen etc.. and i just dont get it. All thats needed is 1 year of searchable data, anything older than (time.now() - 365 days) can be deleted.   Can someone please assist me with what i need to do to make this work 🙂 ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎01-14-2024 08:06 PM