Question 1:
In my org have Splunk ES 7.2.X with 4 VMs(win os) i.e., 1 Search Head, 1 Deployment server, 2 Indexers
***Search Head:***
In search head we installed **Splunk Add-on for Amazon Web Services** and configured and getting logs in splunk that logs are saving in index (main) search head under **defaultdb/db** and i didnt set the buckets retension policy. So can you please help me what is the exact indexes.conf to set the retension policy for deletion more than 1year logs.
Question 2:
I integrated some servers logs(haddop, mulesof, forgerock) to splunk these are indexing in index(main). When i look the indexes.conf file i was shocked there is no indexes.conf file anywhere. i have check some in my way i found _cluster/indexes.conf, in this saw the script like **[main] -> repfactor = 0**
By seeing this i guess to know that this is cluster indexer so it have repfactor = 0.
So can you please help me what is the exact indexes.conf to set the retension policy for deletion more than 1year logs in cluster indexer.
↧