Greeting,
My Splunk installation is simply configured to collect syslog messages (udp 514) and nothing fancy... and I would like to create a copy of every event at a 24 hours interval, how do I do that?
The closest I can figure out to accomplish this is to mark the information as "cold"
[main]
coldPath = /opt/splunk-archive
frozenTimePeriodInSecs = 86400
{{By the way... this isn't working. After 24 hours I don't see my data... and yes, I restart the service}}
Is there a better way to do this? I am not too comfortable freezing the information like this but will if I cannot figure out a better way... which would be to simply look at all the events in the last 24 hours and create a zip file of the data (perhaps via a script.)
What is optimal way to do this?
Thanks in advance,
~Jaga
... View more