Getting Data In

Syslog Data Storage

miguel255
Engager

I have version 4.1 and have it set up to recieve syslog data directly from various servers but I only want to hold the data on the server for 14 days, is there a way of configuring this?

Also I have been unable to find out where the data is held and how much disk space it is taking up.

Thanks

Tags (1)

bwooden
Splunk Employee
Splunk Employee

By default indexes are stored in $SPLUNK_HOME/var/lib/splunk

You may set limits on disk usage via the GUI or CLI.

If you're only interested in the last 14 days of data, you may choose the appropriate time range from the Time Picker next to the search bar. Alternatively, you may specify that within the search itself:

sourcetype=syslog earliest=-14d 
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...