Re: Is there a way to turn off internal splunk log...

marvatwork · ‎03-30-2015

I need to keep the data in $SPLUNK_HOME/var/log/splunk.
I've tried to increase the max file size and increase the number of logs; however, this has shown to be inadequate.
Is there a way that I can just turn off the rotation? If not, can I archive the old logs instead of having them rotate off?

rsennett_splunk · ‎03-30-2015

The retention _internal index (and other internal logs) is set just like any other index.
In the case of the default internal logs, you'll find the settings in $SPLUNK_HOME/etc/system/default/indexes.conf
You'll find this stanza, for instance:

[_internal]
homePath   = $SPLUNK_DB/_internaldb/db
coldPath   = $SPLUNK_DB/_internaldb/colddb
thawedPath = $SPLUNK_DB/_internaldb/thaweddb
tstatsHomePath = volume:_splunk_summaries/_internaldb/datamodel_summary
maxDataSize = 1000
maxHotSpanSecs = 432000
frozenTimePeriodInSecs = 2592000

It's that last one that decides how long it hangs around before it is deleted (259200 seconds = 30 days)

Create $SPLUNK_HOME/etc/system/local/indexes.conf

[_internal]
frozenTimePeriodInSecs= NumberOfSecondsYouWantToRetainInternalLogs

Create a stanza for each index you want to keep longer...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

Is there a way to turn off internal splunk log rotation or archive off the internal logs

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases