Hello,
How it´s possible to retain the logs of my splunk during 1 year?. I need to modify a parameter?. Whats is the default time of retention of logs? and how can i validate that.
Hello,
I check the index.conf, but i don´t see my index that i created.
Hi @isaor,
The retention times are set in indexes.conf
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Indexesconf
For the retention time you set the frozenTimePeriodInSecs
This is the example for the cold to frozen retention period.
frozenTimePeriodInSecs = <nonnegative integer>
* Number of seconds after which indexed data rolls to frozen.
* If you do not specify a coldToFrozenScript, data is deleted when rolled to
frozen.
* IMPORTANT: Every event in the DB must be older than frozenTimePeriodInSecs
before it will roll. Then, the DB will be frozen the next time splunkd
checks (based on rotatePeriodInSecs attribute).
* Highest legal value is 4294967295
* Defaults to 188697600 (6 years).
For 1 year, you would set the value to 31556926 seconds