Data Retention Rules
This feature allows an administrator to manage the time duration for which data will be retained on the appliance.
Multiple Data Retention rules can be defined for managing data.
The Raw data retention time is the duration for which the data will be retained on the appliance. The Indexed data retention time is the duration for which the raw data will be indexed for searching.
Use the tab to define Data Retention rules. For each rule, you can specify the retention time period for raw and indexed data. The maximum value of indexed data retention can be 10 years. Log sources should be assigned to a specific Retention rule.
During installation, some pre-defined Retention rules (one Default and multiple Custom rules) are created. The number of pre-defined Custom rules may vary depending on each appliance model. You can create new Custom Retention rules. The Custom rules are prioritized in the order as they appear (from highest on the top) in the Custom rules list. You can change the priority by moving them up or down in the Custom Rules list, see Prioritizing Custom Rules.
- View All Rules—Lists all log sources and their effective rules. You can view the effective rule for a particular log source. For details, see Viewing Retention Rule Details.
- Custom Retention Rules—Specifies the raw and indexed data retention time for log sources assigned to the custom rule. For details on how to assign log sources to the rule, see Assigning Log Sources to a Data Retention Rule.
- Default Retention Rule—Specifies the raw and indexed data retention time for log sources that have not been assigned to any custom rule. If any log source is not assigned to Custom Retention rule, it will automatically be assigned to the Default Retention rule. You can modify the time period; however, you cannot delete this rule. For details, see Viewing Retention Rule Details.