Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to retain statistics and metadata while aging out logs?

devinmcelheran
New Member
‎05-30-2019 09:36 AM

Hi everyone,

I think the title sums it up, but I'll clarify anyway.

So, we would like to pull some information from our networking equipment. Very easily done, but we don't want to store it long term. The data we're looking for, at least right now, is primarily the usage statistics, such as what sites people are visiting most, how much traffic is blocked vs traffic that is allowed, etc.

We approached this with Graylog initially, but we severely underestimated just how much logging data we were dealing with. As it turns out, our networking equipment is very verbose. We aren't committed to storing that much data and Graylog doesn't have a straightforward way to store historical statistics and metadata while discarding or aging out the logs through retention policies.

Does Splunk have a way of accomplishing this? If so, would someone mind telling me the Splunk terminology? I've done some searching online, but I can't seem to find what I'm looking for.

Thank you, everyone.

0 Karma
Reply

evania
Splunk Employee
Splunk Employee
‎06-06-2019 03:38 PM

Hi @devinmcelheran ,

Did you have a chance to check answers yet? If it worked, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help you.

Thanks for posting!

0 Karma
Reply

skalliger
Motivator
‎06-02-2019 11:22 PM

Hi,

not exactly as a feature but with SPL you can do almost everything. And this would be one of the easier steps.

To be exactly, there are two ways (atleast). First one is kinda short: instead of indexing _raw at all, just use indexed extractions to keep the fields you want (a rather rare use case with Splunk).

The other option: summary indexes.
1. Keep in mind that every index got its own retention time.
2. Define indexes that meet your requirements to look further into the past without keeping _raw.
3. Use either collect or mcollect depending on the type of data and store your desired data in separate indexes with longer retention times.
4. Get rid of _raw much faster on the original indexes (reduce retention time).

Skalli

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...