I need to set 12 indexes to have 30 to 60 days hot...

nls7010 · ‎01-20-2020

Clients are saying they are only seeing 2 days worth of the logs.

[name]
homePath = volume:primary/name/db
coldPath = volume:primary/name/colddb
thawedPath = $SPLUNK_DB/name/thaweddb
frozenTimePeriodInSecs = 15780000
maxWarmDBCount = 300
maxHotSpanSecs=7776000
maxHotBuckets = 3
maxTotalDataSizeMB = 75000
repFactor = auto

nls7010 · ‎01-20-2020

We don't set anything other then what I show above. So I would think that the remaining values you show are at their default. We don't restrict their search time.

nls7010 · ‎01-20-2020

Just noticed you were showing a role. When we create the roles, we just use the default settings.

jwhughes58 · ‎01-20-2020

What is the value of the default user search time window? For example we use this

[role_canloginuser]
srchDiskQuota = 1000
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
get_metadata = enabled
get_typeahead = enabled
input_file = enabled
list_inputs = enabled
output_file = enabled
request_remote_tok = enabled
rest_properties_get = enabled
rest_properties_set = enabled
rtSrchJobsQuota = 0
search = enabled
srchJobsQuota = 1
srchMaxTime = 2h
srchTimeWin = 604800

The value of srchTimeWin is 7 days. You might have 30 to 60 days in hot, but they might be limited to only 2 search days.

I need to set 12 indexes to have 30 to 60 days hot is the following correct?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!