Hello-
I am auditing a company and am trying to determine the retention time for Splunk logs. I have been reading that you need access to the indexes.conf file, but I am unable to access it. Is there a command or somewhere else I can look in order to figure out the retention period?
Thanks
You can use the rest api from a splunk search:
| rest /services/data/indexes
This should give you all of the configuration info you need.
http://docs.splunk.com/Documentation/Splunk/6.4.1/RESTREF/RESTintrospect#data.2Findexes
You can run this report which was published at bucket retention and frozenTimePeriodInSecs
The query is -
| dbinspect index=* | join index [|rest /services/data/indexes| eval index=title | table index frozenTimePeriodInSecs ] | eval toNow=now()-endEpoch | convert num(toNow) | convert num(frozenTimePeriodInSecs) | convert ctime(endEpoch) AS endEvent | convert ctime(startEpoch) AS startEvent | eval shouldBeFrozen=if( ( state!="hot" AND state!="thawed" ) AND toNow>frozenTimePeriodInSecs,"yes","no") | table index path id state startEvent endEvent shouldBeFrozen toNow frozenTimePeriodInSecs
The Distribution Management Console also shows information about Data Retention if you are on 6.4.x.
You can use the rest api from a splunk search:
| rest /services/data/indexes
This should give you all of the configuration info you need.
http://docs.splunk.com/Documentation/Splunk/6.4.1/RESTREF/RESTintrospect#data.2Findexes
Thanks! this with a dedup on title helped me!
Hi @wzgoda
Glad you found your answer through @justinatpnnl
I see you upvoted his answer, but please don't forget to actually resolve the post by clicking "Accept" directly below his answer.
Try this:
|dbinspect | convert ctime(endEpoch) | convert ctime(startEpoch) | table index, endEpoch, startEpoch, rawSize, sizeOnDiskMB, eventCount