I've searched through the docs to find out if there is a max setting in splunk for the bucket retention policy and I have not come across anywhere that says a max time frame you can set within the indexes.conf file.
I'm aware of the option where you can set the time frame in seconds with
frozenTimePeriodInSecs =
There is an audit requirement where our logs need to be stored for 7 years on remote storage. Does anybody know if there is a max time limit for buckets and has anyone made a policy to keep frozen logs for multiple years?
↧