topic Delete index foobar info older than 2 weeks. in Getting Data In

Delete index foobar info older than 2 weeks.

dcroteau — Fri, 21 May 2010 20:09:20 GMT

we only want to save the log info for 2 weeks. I tried to set this up by modifying the frozen time, but it doesn’t seem to work. How can I delete info from index foobar database that is older than 2 weeks?

Re: Delete index foobar info older than 2 weeks.

Lowell — Fri, 21 May 2010 20:18:43 GMT

Can you post your current index settings for the index in question. (You can run btool indexes layer <your_index_name> to show all the settings applied to your index.)

Re: Delete index foobar info older than 2 weeks.

Lowell — Fri, 21 May 2010 20:48:11 GMT

Off the top of my head, you will probably need to make sure that your buckets are rotated quite frequently, which can be done by setting a very low maximum hot size or setting a short max time span, or both, I suppose.

indexes.conf:

[foobar]

# 2 day max for hot
maxHotSpanSecs=172800

# 200 Mb max for hot
maxDataSize = 200

# Expire data after 2 weeks
frozenTimePeriodInSecs=1209600

BTW, you can force a delete of events older than 2 weeks by searching for events more than two weeks old, then piping that search through the | delete command. However, this does not free up any disk space; so I'm guessing this isn't what your looking for.

Re: Delete index foobar info older than 2 weeks.

gkanapathy — Sat, 22 May 2010 12:45:52 GMT

frozenTimePeriodInSecs does not guarantee deletion after that time. It simply means that data may be deleted after that time. Data older than that will in fact be deleted as long as everything else that it shares an index bucket with is also eligible for deletion. This is because deletion (by which I mean actual deletion not the surgical | delete command - that doesn't really "delete" data) is done on a whole-bucket basis, so unless an entire bucket is eligible for deletion, none of the data will be deleted.