topic Re: Indexes having more data than retention period defined in Deployment Architecture

Indexes having more data than retention period defined

ramprakash — Tue, 29 Sep 2020 22:46:20 GMT

Hi Everyone,

We have one index defined in indexes.conf with frozenTimePeriodInSecs as 365 days (31536000 seconds), but there are 3 years of data stored in index.It seems not working if we just define retention time period in frozenTimePeriodInSecs. Can someone help ?

$ view ./apps/launcher/local/indexes.conf
[Indexname]
coldPath = $SPLUNK_DB/Indexname/colddb
homePath = $SPLUNK_DB/Indexname/db
thawedPath = $SPLUNK_DB/Indexname/thaweddb

Maximum index total size in MB

maxTotalDataSizeMB = 35000

frozenTimePeriodInSecs = 31536000

Re: Indexes having more data than retention period defined

lakshman239 — Tue, 15 Jan 2019 15:17:27 GMT

If you define the changes via the config, you will need to restart the splunk, to make effect.

Re: Indexes having more data than retention period defined

somesoni2 — Tue, 15 Jan 2019 15:32:54 GMT

Also, the data (bucket) is frozen only when the most recent event in the bucket is older then the retention period. Sometimes, a bucket can have data for varying/larger dates-range (e.g. a bucket has data for whole 1 year) and doesn't roll until the event with newest time is older than retention period. See this for more information on the same.

https://docs.splunk.com/Documentation/Splunk/7.2.3/Indexer/Setaretirementandarchivingpolicy#Freeze_data_when_it_grows_too_old

Re: Indexes having more data than retention period defined

ramprakash — Tue, 15 Jan 2019 15:40:32 GMT

Yes Splunk has been restarted and it has most recent data in Indexes.

Re: Indexes having more data than retention period defined

ramprakash — Tue, 15 Jan 2019 15:49:14 GMT

Do i need to check configuration file precedence if the settings mentioned by me are fine.

Re: Indexes having more data than retention period defined

lakshman239 — Tue, 15 Jan 2019 16:19:19 GMT

ok. As a good practice, pls put all your config in a custom 'app' or under 'search' app if its temporary. If the issue is resolved, pls accept the answer to close the thread.

Re: Indexes having more data than retention period defined

skoelpin — Tue, 15 Jan 2019 16:43:28 GMT

To clarify, you pulled this from your indexer and not the search head right?

Re: Indexes having more data than retention period defined

somesoni2 — Tue, 15 Jan 2019 16:49:46 GMT

Sure. Run btool command on your indexers to see what frozenTimePeriodInSecs is effective.

Go to $SPLUNK_HOME/bin and then run this:

./splunk btool indexes list IndexName --debug

This should show you what the effective configuration is and from what location.

Re: Indexes having more data than retention period defined

ramprakash — Tue, 15 Jan 2019 16:50:29 GMT

I pulled data from Search head and found that it has 3 years of data but when i logged in to check configuration files it shows me 1 year retention settings

Re: Indexes having more data than retention period defined

ramprakash — Tue, 15 Jan 2019 17:09:46 GMT

I pulled data from Search head and found that it has 3 years of data but when i logged in to check configuration files it shows me 1 year retention settings

Re: Indexes having more data than retention period defined

skoelpin — Tue, 15 Jan 2019 17:10:37 GMT

The stanza you posted in your original question, did that stanza come from the search head or indexer?

Re: Indexes having more data than retention period defined

ramprakash — Tue, 15 Jan 2019 17:11:20 GMT

I pulled data from Search head and found that it has 3 years of data but when i logged in to check configuration files it shows me 1 year retention settings

Re: Indexes having more data than retention period defined

somesoni2 — Tue, 15 Jan 2019 19:35:53 GMT

Could you run this search and see what values of startEpoch and endEpoch you get for your index.

| dbinspect index=YourIndex earliest=0 | table index *Epoch splunk_server path  | convert ctime(*Epoch) | rename splunk_server as Indexer

This command will list all the data buckets you have for your index. If endEpoch values are newer than your data retention period, then those buckets will not be frozen.

Re: Indexes having more data than retention period defined

skoelpin — Tue, 15 Jan 2019 19:41:22 GMT

What server did you login to check the configuration files? If you logged into the search head, then this will have no impact on retention as data lives on the indexers.

Is this a standalone setup?

Re: Indexes having more data than retention period defined

ramprakash — Wed, 16 Jan 2019 14:35:33 GMT

No I checked the Indexer configuration only. Yes it is standalone setup

Re: Indexes having more data than retention period defined

ramprakash — Wed, 16 Jan 2019 14:36:15 GMT

Yes it is showing 365 days only

Re: Indexes having more data than retention period defined

ramprakash — Wed, 16 Jan 2019 14:38:33 GMT

Hi@somesoni2..I think the issue is with hot buckets only. All the data is in Hot and Warm buckets and nothing has been moved to Cold buckets. Can you guide me what best config i choose so that 365 days data is always searchable and old data should be delete.

Re: Indexes having more data than retention period defined

skoelpin — Wed, 16 Jan 2019 14:50:59 GMT

I don't understand... How could you check the indexer config only if this is a standalone setup?

Re: Indexes having more data than retention period defined

ramprakash — Wed, 16 Jan 2019 14:54:09 GMT

Sorry i meant it is not clustered environment