https://community.splunk.com/t5/Getting-Data-In/Delay-in-Splunk-purging-old-events/m-p/323408#M60232 <P>Hi @danielwan,</P> <P>Based on documentation of indexes.conf, index will remove data from index based on 2 parameters <CODE>frozenTimePeriodInSecs</CODE> OR <CODE>maxTotalDataSizeMB</CODE> whichever hit first.</P> <P>Now splunk stores data in hot, warm and cold buckets. In your case when you set <CODE>frozenTimePeriodInSecs</CODE> to <CODE>2592000</CODE> it will remove those warm or cold bucket which will have all events older than <CODE>frozenTimePeriodInSecs</CODE> . </P> <PRE><CODE>IMPORTANT: Every event in the DB must be older than frozenTimePeriodInSecs before it will roll. </CODE></PRE> <P>So let's day one of the bucket contains earliest event 45 days older and latest event is 25 days older then this bucket(DB) will not remove and when you will search you will able to search data older than 30 days from that bucket, this bucket will remove when all events in that bucket are older than <CODE>frozenTimePeriodInSecs</CODE></P> <P>Now when you restart splunk it will roll hot bucket to warm and warm to cold based on your indexes.conf configuration and in this case if any hot bucket contain events older than 30 days then it will roll hot bucket to warm and then immedeiatly remove that bucket and due to that your index size decrease suddenly.</P> <P>Thanks,<BR /> Harshil</P> Mon, 23 Oct 2017 13:23:24 GMT harsmarvania57 2017-10-23T13:23:24Z https://community.splunk.com/t5/Getting-Data-In/Delay-in-Splunk-purging-old-events/m-p/323407#M60231 <P>My Splunk is a single Splunk 6.5.x instance, which needs to retain the last 30 days events, so I configured frozenTimePeriodInSecs = 2592000 in indexes.conf. But it does not work fine all the time. </P> <P>What I could tell is my indexes keep growing, and search with "latest=-30d" shows up some events sometimes. When the index size reaches the maximum index size which was configured in the index creation, or when I restart Splunk instance, the index size decreases to nearly half of the max index size. </P> <P>Is there any idea of why there is so significant delay for Splunk purging old events? and how to fix it?</P> Mon, 23 Oct 2017 13:05:08 GMT https://community.splunk.com/t5/Getting-Data-In/Delay-in-Splunk-purging-old-events/m-p/323407#M60231 danielwan 2017-10-23T13:05:08Z https://community.splunk.com/t5/Getting-Data-In/Delay-in-Splunk-purging-old-events/m-p/323408#M60232 <P>Hi @danielwan,</P> <P>Based on documentation of indexes.conf, index will remove data from index based on 2 parameters <CODE>frozenTimePeriodInSecs</CODE> OR <CODE>maxTotalDataSizeMB</CODE> whichever hit first.</P> <P>Now splunk stores data in hot, warm and cold buckets. In your case when you set <CODE>frozenTimePeriodInSecs</CODE> to <CODE>2592000</CODE> it will remove those warm or cold bucket which will have all events older than <CODE>frozenTimePeriodInSecs</CODE> . </P> <PRE><CODE>IMPORTANT: Every event in the DB must be older than frozenTimePeriodInSecs before it will roll. </CODE></PRE> <P>So let's day one of the bucket contains earliest event 45 days older and latest event is 25 days older then this bucket(DB) will not remove and when you will search you will able to search data older than 30 days from that bucket, this bucket will remove when all events in that bucket are older than <CODE>frozenTimePeriodInSecs</CODE></P> <P>Now when you restart splunk it will roll hot bucket to warm and warm to cold based on your indexes.conf configuration and in this case if any hot bucket contain events older than 30 days then it will roll hot bucket to warm and then immedeiatly remove that bucket and due to that your index size decrease suddenly.</P> <P>Thanks,<BR /> Harshil</P> Mon, 23 Oct 2017 13:23:24 GMT https://community.splunk.com/t5/Getting-Data-In/Delay-in-Splunk-purging-old-events/m-p/323408#M60232 harsmarvania57 2017-10-23T13:23:24Z https://community.splunk.com/t5/Getting-Data-In/Delay-in-Splunk-purging-old-events/m-p/323409#M60233 <P>Hi danielwan,<BR /> event deletion is managed at bucket level, so when the latest event of a bucket is out of retention period bucket will be frozen or deleted.<BR /> This means that you can have online some events older that the retention period.<BR /> Bye.<BR /> Giuseppe</P> Mon, 23 Oct 2017 13:56:17 GMT https://community.splunk.com/t5/Getting-Data-In/Delay-in-Splunk-purging-old-events/m-p/323409#M60233 gcusello 2017-10-23T13:56:17Z