https://community.splunk.com/t5/Getting-Data-In/Old-log-getting-stored-as-csv-format-even-before-retention/m-p/651270#M110616 <P>Hi Team,</P> <P>We have defined the index retention as 420 days but when we are trying to access the logs those are in .csv format not as event-value format.</P> <P>PFA of index details and below indexes.conf confuguration if that index.</P> <P>&nbsp;</P> <P>[rt_efb]<BR /># 250MB a day / 35 days in warm / 460 days retention / 8 GB max index size<BR />homePath = volume:hot/rt_efb/db<BR />coldPath = volume:cold/rt_efb/colddb<BR />thawedPath = $SPLUNK_DB/rt_efb/thaweddb<BR />#set to 5 days, +- 5days padding<BR />maxHotSpanSecs = 432000<BR />#set to 2 hot buckets<BR />maxHotBuckets = 2<BR />homePath.maxDataSizeMB = 2500<BR />coldPath.maxDataSizeMB = 5500<BR />frozenTimePeriodInSecs = 39744000<BR />maxTotalDataSizeMB = 26000</P> <P>&nbsp;</P> <P>Can you please suggest us on this?</P> <P>&nbsp;</P> <P>Regards,</P> <P>Anil</P> <P>&nbsp;</P> Fri, 21 Jul 2023 17:54:46 GMT anil28 2023-07-21T17:54:46Z https://community.splunk.com/t5/Getting-Data-In/Old-log-getting-stored-as-csv-format-even-before-retention/m-p/651270#M110616 <P>Hi Team,</P> <P>We have defined the index retention as 420 days but when we are trying to access the logs those are in .csv format not as event-value format.</P> <P>PFA of index details and below indexes.conf confuguration if that index.</P> <P>&nbsp;</P> <P>[rt_efb]<BR /># 250MB a day / 35 days in warm / 460 days retention / 8 GB max index size<BR />homePath = volume:hot/rt_efb/db<BR />coldPath = volume:cold/rt_efb/colddb<BR />thawedPath = $SPLUNK_DB/rt_efb/thaweddb<BR />#set to 5 days, +- 5days padding<BR />maxHotSpanSecs = 432000<BR />#set to 2 hot buckets<BR />maxHotBuckets = 2<BR />homePath.maxDataSizeMB = 2500<BR />coldPath.maxDataSizeMB = 5500<BR />frozenTimePeriodInSecs = 39744000<BR />maxTotalDataSizeMB = 26000</P> <P>&nbsp;</P> <P>Can you please suggest us on this?</P> <P>&nbsp;</P> <P>Regards,</P> <P>Anil</P> <P>&nbsp;</P> Fri, 21 Jul 2023 17:54:46 GMT https://community.splunk.com/t5/Getting-Data-In/Old-log-getting-stored-as-csv-format-even-before-retention/m-p/651270#M110616 anil28 2023-07-21T17:54:46Z https://community.splunk.com/t5/Getting-Data-In/Old-log-getting-stored-as-csv-format-even-before-retention/m-p/651468#M110645 <P>Hi</P><P>What you are meaning with "<SPAN>those are in .csv format"?</SPAN></P><P><SPAN>As you are using volumes (it's best practices) there are also those volume sizing&nbsp;</SPAN>parameters which could also affect what you really have on disk.</P><P>btw. you cannot define how long events are in warm. There is no that kind of parameter. Only things what you can do is define how many buckets can be on warm state and how much space they have. Of course also max volume is one constraint for all indexes in that volume.</P><P>As there are already quite many answers about this issue, You could look those e.g. with google like "site:community.splunk.com&nbsp;splunk event retention parameters" or something similar.</P><P>r. Ismo</P> Fri, 21 Jul 2023 11:57:48 GMT https://community.splunk.com/t5/Getting-Data-In/Old-log-getting-stored-as-csv-format-even-before-retention/m-p/651468#M110645 isoutamo 2023-07-21T11:57:48Z