product
service
- Simple Security Consulting [Consulting]
- Splunk SOAR Automation Assessment Service [Consulting]
- Dashboard/SPL Creation Pack [Implementation/Building Support]
- Version upgrade service [implementation and construction support]
- Splunk Premium Apps construction support service [implementation and construction support]
- Splunk Security Log Analysis Start Package [Original App/Service]
- Splunk × CrowdStrike Falcon Insight, Macnica Original App [Original App/Service]
- Government uniform standard compatible App [Original App/Service]
- Smart Security Monitoring App [Original App/Service]
- Splunk × LANSCOPE Original App [Original App/Service]
- Security Monitoring App for Box [Original App/Service]
- Cloud Security Monitoring App [Original App/Service]
- SIEM Operation Monitoring Service [Original App/Service]
- List of services
- Macnica Premium Support for Splunk (utilization support, version upgrade monitoring)
- Macnica Premium Support for Splunk Skill Up Package
Specifications/Technical Information
Application for evaluation machine
- FAQ
How to reduce the size of the _audit index
- release date
- 2015-08-10
- last updated
- 2024-03-04
- version
- Splunk Enterprise 9.0.4
- Overview
- Learn how to reduce the size of the _audit index.
- Reference information
- content
-
About the _audit index
The _audit index mainly accumulates Splunk's operation history as an internal log.
The _audit index is set to:
Index name: _audit
Maximum size: 500,000MB (≒ 500GB)
Retention period: Approximately 6 yearsThe amount of increase varies depending on the usage situation, but continuing long-term operation may lead to pressure on the disk capacity.
_audit index maximum resizing procedure
- Log in to SplunkWeb as a user with admin role.
- From the Settings menu in the upper right, select Indexes.
- From the list of indexes, click _audit.
- Change "Maximum size of entire index (MB)" to an appropriate value.
- Click the "Save" button.
This allows Splunk to change the maximum size of the _audit index without restarting the service.
Please note that if the size specified here is smaller than the current index size, excess past data will be deleted.
that's all
In charge of Macnica Splunk Co., Ltd.
- TEL:045-476-2010
- E-mail:splunk-sales@macnica.co.jp
Mon-Fri 8:45-17:30
