Hello,
I'm looking for advice on how to handle systems that are removed from the network.
We have several hundred Windows systems with the UniversalForwarder installed, sending log data to our Splunk server. As systems are decommissioned, I want to keep the log data from those retired systems in Splunk for compliance reasons. But I no longer want the retired system's host name to appear in the Data Summary window in Splunk Search. I only want live production systems to appear on that screen.
Is it just a matter of deleting the client name from the Forwarder Management screen?
Thanks,
Greg
When the data in indexed into Splunk, Splunk creates index files, also known as tsidx files and raw data files. The index files are what it makes the data searchable in Splunk and also feeds the Data Summary. By default the data is searchable as long as the raw data is retained in Splunk (before its frozen). So if you want to keep data in Splunk and keep it searchable, it will appear in the Data Summary page as well.
If you're in Splunk 6.4+, it provides an option to setup separate retention period for tsidx files. This way you want to keep the data in Splunk, but not searchable (at least right away) and it'll not appear in data summary page (haven't tested, may be someone else will confirm this). See this link for more details.
https://docs.splunk.com/Documentation/Splunk/6.4.0/Indexer/Reducetsidxdiskusage
Other option would be to archive the data in Splunk so it's not searchable at all and won't show up in data summaries. You can later restore the data if needed for audit.
http://docs.splunk.com/Documentation/Splunk/6.5.1/Indexer/Automatearchiving
http://docs.splunk.com/Documentation/Splunk/6.5.1/Indexer/Setaretirementandarchivingpolicy
When the data in indexed into Splunk, Splunk creates index files, also known as tsidx files and raw data files. The index files are what it makes the data searchable in Splunk and also feeds the Data Summary. By default the data is searchable as long as the raw data is retained in Splunk (before its frozen). So if you want to keep data in Splunk and keep it searchable, it will appear in the Data Summary page as well.
If you're in Splunk 6.4+, it provides an option to setup separate retention period for tsidx files. This way you want to keep the data in Splunk, but not searchable (at least right away) and it'll not appear in data summary page (haven't tested, may be someone else will confirm this). See this link for more details.
https://docs.splunk.com/Documentation/Splunk/6.4.0/Indexer/Reducetsidxdiskusage
Other option would be to archive the data in Splunk so it's not searchable at all and won't show up in data summaries. You can later restore the data if needed for audit.
http://docs.splunk.com/Documentation/Splunk/6.5.1/Indexer/Automatearchiving
http://docs.splunk.com/Documentation/Splunk/6.5.1/Indexer/Setaretirementandarchivingpolicy
Thanks for the response. That's some good information. I'll have to consider leaving it as is or archiving the data of those systems.
The main reason I wanted to do this is because the Data Summary screen was very helpful in identifying which systems were offline. So I was using it in a way it was intended. But it may still work for me.
Thanks again.