:question: on S3 Replay -> Splunk. Is it necessary for the destination Splunk Index to have retention settings that honor the timestamps of the replayed data? For example, If my index 'proxy-logs' has a retention of 180 days, and I replay data into it with timestamps that is > 200 days, I presume that data would be immediately evicted/frozen by Splunk?
Solved
What happens with retention setting in Splunk with timestamp from Replay?
Best answer by dritan
correct. i'd just create a couple with a very high `frozenTimePeriodInSecs`
If I am not mistaken, 180 days is Splunk Index time, not event time
So then create some replay specific indexes that have longer retention than typical? We use smartstore so storage size isn't a concern, but trying to understand best practice for replay.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.