KV Store collection backups and retention

Index backups for KV Store collections

Only KV Store collections for findings such as missioncontrol.findings support index backups before deletion.

Index backups for findings occur in the following circumstances:

When automated retention of findings is turned on.
Note: Automated retention of findings is turned on by default in Splunk Enterprise Security version 8.3 and higher.
Findings are not added to an investigation.
Findings are older than the configured maximum age. Default value is 90 days.
The KV Store collection exceeds the size threshold. Default value is 25 GB)
Findings are written to a dedicated index. For example, a finding is written to mc_kvstore_retention and then removed from the KV Store. This allows you to review historical data without retaining high-volume data in the KV Store.

Retention policy for findings added to investigations

Following are the retention policies for findings that are added to investigations:

Findings added to investigations are not eligible for deletion based on the retention policy of findings.
Findings added to investigations are governed by the investigation's retention policy
Findings added to investigations remain available until the investigation is closed and exceeds the waiting period.

Rules for cleaning up investigations

Following are some rules for cleaning up investigations:

Only investigations in a Closed state are eligible for deletion
A waiting period must elapse after the close of an investigation before it is deleted.
When an investigation is deleted, all associated notes, comments, and attachments are removed
Findings linked to the investigation are handled according to the retention policy of the investigation.This prevents active or recently closed investigations from premature deletion.

Attachment retention policies

Attachments are stored outside of indexed data and do not contribute to the daily ingestion limits. However, attachments are removed when their parent investigation or note is deleted.

Following are the attachment limits:


Limit	Value
Max file size	4 MB per file
Files allowed for each note	Multiple notes allowed
Storage cost	Does not count toward indexing license

Splunk Enterprise Security 8

Index backups for KV Store collections

Retention policy for findings added to investigations

Rules for cleaning up investigations

Attachment retention policies

ON THIS PAGE

Splunk Enterprise

Splunk Cloud Platform

Splunkbase

Enterprise Security

SOAR

IT Service Intelligence

Content Packs

Splunk Observability Cloud

AppDynamics SaaS

AppDynamics On-Premises

SAP Agent

Developer Documentation

Splunkbase

Splunk Enterprise

Splunk Cloud Platform

Splunkbase

DATA MANAGEMENT

SEARCH AND ANALYTICS

ADMINISTRATION

Enterprise Security

SOAR

ENTERPRISE SECURITY

SOAR

RELATED APPS

IT Service Intelligence

Content Packs

ITSI

IT Ops

ADMINISTRATION

EXTENSIONS

Splunk Observability Cloud

MONITORING

DATA MANAGEMENT

ADMINISTRATION

AppDynamics SaaS

AppDynamics On-Premises

SAP Agent

ESSENTIALS

MONITORING

ADMINISTRATION

Developer Documentation

Splunkbase

PLATFORM

OBSERVABILITY

REFERENCE

Resources

REFERENCE

Learn More

Support

KV Store collection backups and retention

Index backups for KV Store collections

Retention policy for findings added to investigations

Rules for cleaning up investigations

Attachment retention policies