https://community.splunk.com/t5/Deployment-Architecture/Understanding-Splunk-Index-Retention/m-p/659118#M27516 <P>I think I should also have mentioned that I have stopped ingestion onto this index for now. Until I figure out how to reduce the storage/clean the data.</P> Fri, 29 Sep 2023 18:41:41 GMT felipesodre 2023-09-29T18:41:41Z https://community.splunk.com/t5/Deployment-Architecture/Understanding-Splunk-Index-Retention/m-p/659115#M27515 <P>Hi, and sorry if this question was already answered in any other thread.</P><P>&nbsp;</P><P>Thanks in advance for the help.</P><P>I had an index in which the current size was over 10 GB,&nbsp; for deleting the data I tried to reduce it's max size and searchable retention.</P><P>My question is what is going to happen with the data? Will it be deleted from the servers or archived? I am confused because I am seeing the event counts stuck with the same value as it was before changing the retention config.</P><P>Previous index config:</P><P>Current Size 10 GB, Max Size: 0, Event Count: 10M, Earliest Event: 5 Months, Latest Event: 1 day, Searchable Retention: 365 days,&nbsp; Archive Retention: blank, Self Storage: blank, Status: enabled</P><P>Then, I changed the parameters&nbsp; "Max Size" to&nbsp; "200 MB" and "Searchable Retention" to "1 Day".</P><P>Besides, when running the following query,&nbsp;&nbsp;I see the warm storage size pretty much with the same size (bouncing a few mbs).</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">|dbinspect index=_internal *&lt;index-name&gt;* | stats sum(sizeOnDiskMB) by state</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Any help greatly appreciated.</P><P>&nbsp;</P> Fri, 29 Sep 2023 19:30:02 GMT https://community.splunk.com/t5/Deployment-Architecture/Understanding-Splunk-Index-Retention/m-p/659115#M27515 felipesodre 2023-09-29T19:30:02Z https://community.splunk.com/t5/Deployment-Architecture/Understanding-Splunk-Index-Retention/m-p/659118#M27516 <P>I think I should also have mentioned that I have stopped ingestion onto this index for now. Until I figure out how to reduce the storage/clean the data.</P> Fri, 29 Sep 2023 18:41:41 GMT https://community.splunk.com/t5/Deployment-Architecture/Understanding-Splunk-Index-Retention/m-p/659118#M27516 felipesodre 2023-09-29T18:41:41Z https://community.splunk.com/t5/Deployment-Architecture/Understanding-Splunk-Index-Retention/m-p/659143#M27517 <P><A class="" href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352" target="_self"><SPAN class="">gcusello</SPAN></A><SPAN>&nbsp;Any guidance?</SPAN></P> Fri, 29 Sep 2023 21:39:53 GMT https://community.splunk.com/t5/Deployment-Architecture/Understanding-Splunk-Index-Retention/m-p/659143#M27517 felipesodre 2023-09-29T21:39:53Z https://community.splunk.com/t5/Deployment-Architecture/Understanding-Splunk-Index-Retention/m-p/659144#M27518 <P><SPAN><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/1406">@woodcock</a>&nbsp;</SPAN></P> Fri, 29 Sep 2023 22:23:50 GMT https://community.splunk.com/t5/Deployment-Architecture/Understanding-Splunk-Index-Retention/m-p/659144#M27518 felipesodre 2023-09-29T22:23:50Z https://community.splunk.com/t5/Deployment-Architecture/Understanding-Splunk-Index-Retention/m-p/659145#M27519 <P>There is so much "depends" here that we could open a nursing home.&nbsp; Are you using SmartStore?&nbsp; Are you using indexer clustering?&nbsp; What are your SF/RF settings?&nbsp; Are you using Volume settings for your indexers?&nbsp; Are you Splunk Cloud?&nbsp; What is the "btool" output for your indexes.conf from one of your indexers?</P> Fri, 29 Sep 2023 22:35:45 GMT https://community.splunk.com/t5/Deployment-Architecture/Understanding-Splunk-Index-Retention/m-p/659145#M27519 woodcock 2023-09-29T22:35:45Z https://community.splunk.com/t5/Deployment-Architecture/Understanding-Splunk-Index-Retention/m-p/659146#M27520 <P>Hi, thank you for replying back.</P><P>&nbsp;</P><P><SPAN>Settings:</SPAN></P><P><SPAN>SmartStore: No</SPAN></P><P><SPAN>Indexer clustering: No</SPAN></P><P><SPAN>SF/RF Settings Splunk: SF=2, RF=3</SPAN></P><P><SPAN>Volume settings: Default settings</SPAN></P><P><SPAN>Splunk Cloud: Yes</SPAN></P><P><SPAN>Unfortunately, I am unable to run the "btool".&nbsp;</SPAN><SPAN>However, I am able to run the following rest API query to gather the info from specific parameters for the mentioned index:</SPAN></P><P><SPAN>| rest /services/data/indexes<BR />| join type=outer title [<BR />| rest splunk_server=n00bserver /services/data/indexes-extended<BR />]<BR />| search title=*<BR />| eval retentionInDays=frozenTimePeriodInSecs/86400<BR />| table *</SPAN></P><P>What should be the parameters to look for?</P><P>&nbsp;</P><P>Thanks again.</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 29 Sep 2023 23:03:38 GMT https://community.splunk.com/t5/Deployment-Architecture/Understanding-Splunk-Index-Retention/m-p/659146#M27520 felipesodre 2023-09-29T23:03:38Z https://community.splunk.com/t5/Deployment-Architecture/Understanding-Splunk-Index-Retention/m-p/659150#M27521 <P>I am so confused as to why there are still buckets with data in which the endEpochTime is older than the "Searchable Retention"&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="felipesodre_2-1696030673541.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/27386i1FD207E7B5DE36A8/image-size/large?v=v2&amp;px=999" role="button" title="felipesodre_2-1696030673541.png" alt="felipesodre_2-1696030673541.png" /></span></P><P>Thanks again</P><P>&nbsp;</P> Fri, 29 Sep 2023 23:39:22 GMT https://community.splunk.com/t5/Deployment-Architecture/Understanding-Splunk-Index-Retention/m-p/659150#M27521 felipesodre 2023-09-29T23:39:22Z https://community.splunk.com/t5/Deployment-Architecture/Understanding-Splunk-Index-Retention/m-p/659151#M27522 <P>Probably because there are also events (at least one) in that bucket that are younger.</P> Sat, 30 Sep 2023 00:26:47 GMT https://community.splunk.com/t5/Deployment-Architecture/Understanding-Splunk-Index-Retention/m-p/659151#M27522 woodcock 2023-09-30T00:26:47Z https://community.splunk.com/t5/Deployment-Architecture/Understanding-Splunk-Index-Retention/m-p/659152#M27523 <P>So, is it safe to assume that if no new data is ingested into this index the data should be gone by tomorrow (the same time I changed the config)?</P><P>&nbsp;</P><P>Thanks again</P> Sat, 30 Sep 2023 00:33:18 GMT https://community.splunk.com/t5/Deployment-Architecture/Understanding-Splunk-Index-Retention/m-p/659152#M27523 felipesodre 2023-09-30T00:33:18Z https://community.splunk.com/t5/Deployment-Architecture/Understanding-Splunk-Index-Retention/m-p/659172#M27524 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/59510">@felipesodre</a>&nbsp;,</P><P>when your bucket completely exceed the retention time (also the earliest event in the bucket) or the bucket reaches the maxSize it can be discarded or moved to offline in a different folder.</P><P>As described at <A href="https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Indexesconf" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Indexesconf</A>&nbsp;, it dependa on the parameter coldToFrozenScript that specifies a script to run when data is to leave the splunk index system, in other words, what happens to the bucket after the retention period.</P><P>If, using a script, you move your Cold Bucket to offline, you can re use them copying them in the Thawed path.</P><P>Otherwise you can discard them and the entire bucket is deleted.</P><P>You can find more details in this document&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/9.1.1/Indexer/Setaretirementandarchivingpolicy" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.1.1/Indexer/Setaretirementandarchivingpolicy</A>&nbsp;</P><P>Ciao.</P><P>Giuseppe</P> Sat, 30 Sep 2023 10:52:23 GMT https://community.splunk.com/t5/Deployment-Architecture/Understanding-Splunk-Index-Retention/m-p/659172#M27524 gcusello 2023-09-30T10:52:23Z https://community.splunk.com/t5/Deployment-Architecture/Understanding-Splunk-Index-Retention/m-p/659208#M27525 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/59510">@felipesodre</a>&nbsp;,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated by all the contributors <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Sat, 30 Sep 2023 16:06:48 GMT https://community.splunk.com/t5/Deployment-Architecture/Understanding-Splunk-Index-Retention/m-p/659208#M27525 gcusello 2023-09-30T16:06:48Z https://community.splunk.com/t5/Deployment-Architecture/Understanding-Splunk-Index-Retention/m-p/659209#M27526 <P>Thank you for clarifying that <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Sat, 30 Sep 2023 16:09:57 GMT https://community.splunk.com/t5/Deployment-Architecture/Understanding-Splunk-Index-Retention/m-p/659209#M27526 felipesodre 2023-09-30T16:09:57Z https://community.splunk.com/t5/Deployment-Architecture/Understanding-Splunk-Index-Retention/m-p/659228#M27527 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>Small correction - bucket is eligible for rotation to frozen if _latest_ event in it is older than the retention limit, not earliest.</P> Sat, 30 Sep 2023 21:44:32 GMT https://community.splunk.com/t5/Deployment-Architecture/Understanding-Splunk-Index-Retention/m-p/659228#M27527 PickleRick 2023-09-30T21:44:32Z https://community.splunk.com/t5/Deployment-Architecture/Understanding-Splunk-Index-Retention/m-p/659237#M27528 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/59510">@felipesodre</a>&nbsp;,</P><P>correct, sorry!</P><P>Ciao.</P><P>Giuseppe</P> Sun, 01 Oct 2023 08:18:02 GMT https://community.splunk.com/t5/Deployment-Architecture/Understanding-Splunk-Index-Retention/m-p/659237#M27528 gcusello 2023-10-01T08:18:02Z