Solved: Where can I see the retention policy of the indexe...

ddrillic · ‎07-19-2017

I can see the retention policy of the indexes in /opt/splunk/etc/master-apps/_cluster/local/indexes.confin frozenTimePeriodInSecs. I wonder where I can see in Splunk Web? We need a nice screenshot of that for auditing ...

rjthibod · ‎07-19-2017

I am pretty sure it is not visible in any ui, but you can run a search to get the value and format it accordingly.

Here is the search:

| rest /services/data/indexes | fields title froz* | rename title as index

View solution in original post

rjthibod · ‎07-19-2017

I am pretty sure it is not visible in any ui, but you can run a search to get the value and format it accordingly.

Here is the search:

| rest /services/data/indexes | fields title froz* | rename title as index

wrangler2x · ‎07-19-2017

I noticed that some of the indexes (such as _fishbucket) were in the list more than once, so I used deadup to drop the dupes. I also tossed in days and a row number:

| rest /services/data/indexes 
| rename title as index | dedup index | sort index
| streamstats count as Row
| eval Days=frozenTimePeriodInSecs/86400
| fields Row index frozenTimePeriodInSecs Days

ddrillic · ‎07-19-2017

Gorgeous - thank you both.

Where can I see the retention policy of the indexes in Splunk Web?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor