Is there a way in Splunk to tag some specific logs and keep them for longer retention time? So for example, I want to tag several logs from firewall index, and I don't want these logs to be overwritten ever with new logs. How should I preserve these logs in Splunk, for example logs related to incidents, etc. Just the thoughts if Splunk has this feature?
You can use collect
to dump the ones that you would like to keep into a Summary Index
and have a much longer retention period for those.
You can use collect
to dump the ones that you would like to keep into a Summary Index
and have a much longer retention period for those.
Hi daniel_augustyn,
Since retention is index based, it is not possible to do this in one or the same index.
But you can create the tags for those events http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/TagandaliasfieldvaluesinSplunkWeb and use the tags in a search in combination with collect
http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Collect to add them to another indexer which will not expire nor will be overwritten.
Hope this helps ...
cheers, MuS