Hi Team,
I have requirement to show last 90 days worth of app login stats broken by day.
I have a lookup table/defnition created and i have saved search that writes the summary data every morning 5 am for the previous day onto the lookup.
Question i got, is there any time limitation until which lookup will retain this data before which it starts truncating or deleting data? I expect the data would remain intact however i wanted to check with wider audience to see how your experiece has been.
I understand better way would be to either create summary index or kv store, i am not going that route as it would need 2 weeks to get it out to production in my space and i need something quick.
Please share your thoughts.
Mine is clustered environment (both SH & indexers) , version is 6.6+
Thanks!
There is no retention for lookups. The lookup will stay until some one deletes it or overwrites it.
Hey , you can try "Search-Driven Lookup" , there you can set retention for a lookup.
https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Createsearchdrivenlookups