Hi
we need your help in creating the configuration to align the requirements.
we have created index for application logs rpp_pe_idx_dmc and we have created schedule saved search to perform some searches and store the results by enabling summary index at rpp_pe_summary_idx_dmc. Question here is we need to update the indexes.conf to meet below requirements.
* Hot&Warm buckets will have 90 days of raw data (for index rpp_pe_idx_dmc)
* Cold buckets will have last 10 months of summary data (for index rpp_pe_summary_idx_dmc)
If we look at my incomplete indexes.conf:
[rpp_pe_idx_dmc]
coldPath = volume:COLD/rpp_pe_idx_dmc/colddb
homePath = volume:HOTWARM/rpp_pe_idx_dmc/db
thawedPath = $SPLUNK_DB/rpp_pe_idx_dmc/thaweddb
[rpp_pe_summary_idx_dmc]
coldPath = volume:COLD/rpp_pe_summary_idx_dmc/colddb
homePath = volume:HOTWARM/rpp_pe_summary_idx_dmc/db
thawedPath = $SPLUNK_DB/rpp_pe_summary_idx_dmc/thaweddb
could you provide us the completed configuration of those two snippets to meet the requirements.
Thanks !!
↧