Hi All,
We have set the data retention has 1 year (365 days) for in cluster master. But when we search the data in Search and Reporting app for an index then we can able to fetch data more than a year too. For audit purpose we need to track what would be the exact data retention and after that there should not be any logs for the same. But in our case we can able to fetch data more than a year too.
So is there any search query that can able to pull the exact data retention which has been set for all indexes and beyond that there should not be any data for that particular index.
These are the configurations which we have been set in cluster master server under the following folder:
/opt/splunk/etc/master-apps/mc_master_indexes/local
[splunk@mon-prod-cm-1 local]$ cat indexes.conf
[default]
frozenTimePeriodInSecs = 31536000
maxTotalDataSizeMB = 20971520
[volume:hot]
path=/data/hot
maxVolumeDataSizeMB=2831156
[volume:cold]
path=/data/cold
maxVolumeDataSizeMB=12268340
So need your quick help regarding the same to get the exact retention which has been set for all indexes.
↧