Splunk Search

Is it possible to get more than 90days logs in splunk ?

chandu141084
New Member

I need to get the logs which are older than 90days in splunk but our retention policy is 90days only. So, If it is possible get, kindly guide me

0 Karma

sumanssah
Communicator

Yes, it's possible with changes in indexes.conf

Default system file location is $SPLUNK_HOME/etc/system/local/
Customised/add-on file location is $SPLUNK_HOME/etc/apps/< app_folder_name >

Increase "frozenTimePeriodInSecs" attribute for the indexes.conf

For example for _internal logs, you can increase retention from 30 days to 90 days by changing frozenTimePeriodInSecs from 259200 to 77,76,000

[_internal]
frozenTimePeriodInSecs = ‭77,76,000‬
0 Karma

nickhills
Ultra Champion

If you are using Splunk Cloud the default retention period is 90 days.

You can increase retention beyond 90 days if you need to, but you will have to talk to your account manager to make the changes.
You can modify the retention settings through the UI, but it will not affect retention beyond 90 days unless you are on one of the tiers that allows it.

If my comment helps, please give it a thumbs up!
0 Karma

chandu141084
New Member

Thank you Arjun

0 Karma

arjunpkishore5
Motivator

If your retention policy is 90 days, then data older than 90 days is archived/deleted based on how the environment is setup. Check with your splunk admin on if the data is archived, if yes, she/he should be able to thaw the data for you. But if your data has been deleted, then the only way to do it would be to re-index the data.

Another option is if you are looking for only aggregated data, you can summarize them to a summary index or KV stores depending the volume of the data. This however is only effective from the day you implement this and cannot go back to any data that has already been deleted. All these options need to be discussed with your Splunk Admin

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...