product
- Why choose Splunk
- Installation record
- price
- Splunk Enterprise Security
- Splunk Phantom (SOAR)
- Splunk ITSI (Next Generation IT Operations)
- Splunk Observability Cloud
- Splunk UBA
- Macnica CSIRT App Basic
- App for Splunk for Financial Institutions
- Splunk Analytics for Hadoop
- About Apps
- Splunk Edge Hub
- What is Splunk
service
- Dashboard/SPL Creation Pack [Implementation/Building Support]
- Version upgrade service [implementation and construction support]
- Smart Security Monitoring App [Original App/Service]
- Splunk × LANSCOPE Original App [Original App/Service]
- Security Monitoring App for Box [Original App/Service]
- Cloud Security Monitoring App [Original App/Service]
- List of services
- Macnica Premium Support for Splunk (utilization support, version upgrade monitoring)
- Macnica Premium Support for Splunk Skill Up Package
Specifications/Technical Information
Application for evaluation machine
- FAQ
How to reduce the size of the _audit index
- release date
- 2015-08-10
- last updated
- 2024-03-04
- version
- Splunk Enterprise 9.0.4
- Overview
- Learn how to reduce the size of the _audit index.
- Reference information
- content
-
About the _audit index
The _audit index mainly accumulates Splunk's operation history as an internal log.
The _audit index is set to:
Index name: _audit
Maximum size: 500,000MB (≒ 500GB)
Retention period: Approximately 6 yearsThe amount of increase varies depending on the usage situation, but continuing long-term operation may lead to pressure on the disk capacity.
_audit index maximum resizing procedure
- Log in to SplunkWeb as a user with admin role.
- From the Settings menu in the upper right, select Indexes.
- From the list of indexes, click _audit.
- Change "Maximum size of entire index (MB)" to an appropriate value.
- Click the "Save" button.
This allows Splunk to change the maximum size of the _audit index without restarting the service.
Please note that if the size specified here is smaller than the current index size, excess past data will be deleted.
that's all
In charge of Macnica Splunk Co., Ltd.
- TEL:045-476-2010
- E-mail:splunk-sales@macnica.co.jp
Weekdays: 9:00-17:00
