Hi,
I am a Splunk newbie. I have setup Splunk in a Lab enviroment with limited resources on an ESXi server (max. 100GB virtual HD). I am wondering if there is (if not default) an option to tell Splunk to use round robin buffers for all data coming in ( syslogs and Sourcefire eStreamer data). E.g. store only data for 30 days and overwrite old data if buffersize is reached. Is there an option to do that and or is this recommended or has any non obvious side effects ? The environment is mainly build to play with Splunk and start learning it. The goal is to make sure the VM does not crash, not to keep all logging.
tia,
Holger
... View more