Use Intelligent Indexing
Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
Intelligent archiving is part of the Mediator/Message Processing Engine. It prevents logs, events, and LogMart data that do not conform to the TTL values set in Global Maintenance Settings from being added to the online databases. Instead, if your system is configured appropriately, this data is archived.
When Intelligent Archiving evaluates logs, it applies the following logic:
- If an event is older than the TTL_Event value plus one day, it is not inserted into the LogRhythm_Events database. The log is archived if the system is configured to do so.
- If a log is older than the TTL_LogMart value plus one week, it is not inserted into the LogRhythm_LogMart database. The log is archived if the system is configured to do so.
There are two TTL Global Data Management settings that work with Intelligent Archiving: TTL_LogMart and TTL_Event.
- On the main toolbar, click Deployment Manager.
- Click the Platform Manager tab.
- Click Global System Settings.
- You can modify any of the values evaluated and used by Intelligent Archiving:
- TTL_LogMart. The number of days the Log Mart info is available online before being removed by the maintenance process. This is the time to live value used by the Log Mart. Min=1, Max=3660.
- TTL_Event. The number of days the event info is available online before being removed by the maintenance process. This is the time to live value used by the events. Min=30, Max=3660
- Click OK.