on S3 Replay -> Splunk. Is it necessary for the destination Splunk Index to have retention settings that honor the timestamps of the replayed data? For example, If my index 'proxy-logs' has a retention of 180 days, and I replay data into it with timestamps that is > 200 days, I presume that data would be immediately evicted/frozen by Splunk?
Page 1 / 1
If I am not mistaken, 180 days is Splunk Index time, not event time
nah
splunk retention/frozen is based on _time not on indextime
So then create some replay specific indexes that have longer retention than typical? We use smartstore so storage size isn't a concern, but trying to understand best practice for replay.
correct. i'd just create a couple with a very high `frozenTimePeriodInSecs`
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.