We have updated our Terms of Service, Code of Conduct, and Addendum.

What happens with retention setting in Splunk with timestamp from Replay?

Options
Paul Dott
Paul Dott Posts: 33 ✭✭
in General Discussions

:question: on S3 Replay -> Splunk. Is it necessary for the destination Splunk Index to have retention settings that honor the timestamps of the replayed data? For example, If my index 'proxy-logs' has a retention of 180 days, and I replay data into it with timestamps that is > 200 days, I presume that data would be immediately evicted/frozen by Splunk?

Best Answer

  • dritan
    dritan Posts: 51 ✭✭
    Answer ✓
    Options

    correct. i'd just create a couple with a very high `frozenTimePeriodInSecs`

Answers

  • Raanan Dagan
    Raanan Dagan Posts: 101 mod
    Options

    If I am not mistaken, 180 days is Splunk Index time, not event time

  • dritan
    dritan Posts: 51 ✭✭
    Options

    nah

  • dritan
    dritan Posts: 51 ✭✭
    Options

    splunk retention/frozen is based on _time not on indextime

  • Paul Dott
    Paul Dott Posts: 33 ✭✭
    Options

    So then create some replay specific indexes that have longer retention than typical? We use smartstore so storage size isn't a concern, but trying to understand best practice for replay.

  • dritan
    dritan Posts: 51 ✭✭
    Answer ✓
    Options

    correct. i'd just create a couple with a very high `frozenTimePeriodInSecs`

Categories