https://community.splunk.com/t5/Getting-Data-In/Remove-data-when-it-ages/m-p/83378#M17323 <P>Hi Shangshin</P> <P>Keeping only one hour of data is pretty short, what is your use case ?</P> <P>A short <STRONG>frozenTimePeriodInSecs</STRONG> will not be enough to ensure that the data is frozen quickly.<BR /> This is because the events are written in buckets, a bucket have a certain span of time, or a maximum size. The bucket being written are in hot state, and roll to warm (or cold) state when they became read only. But only warm or cold state buckets can actually be frozen, and only if all the events their contains are older than the frozenTimePeriodInSecs or the maximum size of the index is reached. Then the ones containing the oldest events will be frozen.</P> <P>The <STRONG>maxHotSpanSecs</STRONG> parameter can be used to limit the span times for your buckets, and force them to roll from hot to warm more often. Then the frozenTimePeriodInSecs will kick in.</P> <P>see <A href="http://wiki.splunk.com/Deploy:BucketRotationAndRetention">http://wiki.splunk.com/Deploy:BucketRotationAndRetention</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Indexesconf">http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Indexesconf</A></P> Mon, 25 Jun 2012 21:24:09 GMT yannK 2012-06-25T21:24:09Z https://community.splunk.com/t5/Getting-Data-In/Remove-data-when-it-ages/m-p/83377#M17322 <P>Hi, I saw <A href="http://docs.splunk.com/Documentation/Splunk/5.0/Indexer/Setaretirementandarchivingpolicy">the doc</A> on how to remove data when it ages.<BR /> Most of my log data goes to the default index db which is "main" </P> <P>So assuming I want to index data for ONLY the latest one hour, I added these 2 lines in /etc/system/default/indexes.conf </P> <PRE><CODE>[main] frozenTimePeriodInSecs = 3600 </CODE></PRE> <P>On top of that I also created a new file /etc/system/local/indexes.conf with the same 2 lines.</P> <PRE><CODE>[main] frozenTimePeriodInSecs = 3600 </CODE></PRE> <P>Then I restarted splunk server but I still saw data older than 1 hour ago. </P> <P>Can anyone shed some light on it? Thank you!!!</P> Mon, 25 Jun 2012 20:33:26 GMT https://community.splunk.com/t5/Getting-Data-In/Remove-data-when-it-ages/m-p/83377#M17322 shangshin 2012-06-25T20:33:26Z https://community.splunk.com/t5/Getting-Data-In/Remove-data-when-it-ages/m-p/83378#M17323 <P>Hi Shangshin</P> <P>Keeping only one hour of data is pretty short, what is your use case ?</P> <P>A short <STRONG>frozenTimePeriodInSecs</STRONG> will not be enough to ensure that the data is frozen quickly.<BR /> This is because the events are written in buckets, a bucket have a certain span of time, or a maximum size. The bucket being written are in hot state, and roll to warm (or cold) state when they became read only. But only warm or cold state buckets can actually be frozen, and only if all the events their contains are older than the frozenTimePeriodInSecs or the maximum size of the index is reached. Then the ones containing the oldest events will be frozen.</P> <P>The <STRONG>maxHotSpanSecs</STRONG> parameter can be used to limit the span times for your buckets, and force them to roll from hot to warm more often. Then the frozenTimePeriodInSecs will kick in.</P> <P>see <A href="http://wiki.splunk.com/Deploy:BucketRotationAndRetention">http://wiki.splunk.com/Deploy:BucketRotationAndRetention</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Indexesconf">http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Indexesconf</A></P> Mon, 25 Jun 2012 21:24:09 GMT https://community.splunk.com/t5/Getting-Data-In/Remove-data-when-it-ages/m-p/83378#M17323 yannK 2012-06-25T21:24:09Z https://community.splunk.com/t5/Getting-Data-In/Remove-data-when-it-ages/m-p/83379#M17324 <P>Thanks for detail explanation. It's very helpful.</P> Tue, 26 Jun 2012 18:53:52 GMT https://community.splunk.com/t5/Getting-Data-In/Remove-data-when-it-ages/m-p/83379#M17324 shangshin 2012-06-26T18:53:52Z