I have a cluster set up with 1 index master, and 2 index peers.
I would like to change the size of the _audit index from 500G to 400G.
How can I go about changing these? On my index master, in the inputs.conf file that gets pushed out, there is no _audit index since these are created from splunk setup. I cannot go to each peer and change them manually, b/c the peers are part of a cluster.
Thanks!
On both indexers, you would need to create a stanza.
go to $SPLUNK_HOME/etc/system/local/indexes.conf
and create
[_audit]
would doing that clobber the existing data/index that is on the peer servers?
no it won't
also have a look at this :
https://answers.splunk.com/answers/26834/audit-and-internal-index-data-retention.html