https://community.splunk.com/t5/Getting-Data-In/Process-for-Data-retenetion-policies/m-p/350664#M64360 <P>Hi splunkgk,<BR /> you have to put your options in every indexes.conf stanzas.</P> <P>I don't like to have a so large hot area because hot buckets are written and read at the same time, instead warm buckets are only read and this is more efficient in searches (see <A href="http://docs.splunk.com/Documentation/Splunk/6.6.2/Indexer/HowSplunkstoresindexes">http://docs.splunk.com/Documentation/Splunk/6.6.2/Indexer/HowSplunkstoresindexes</A> ).</P> <P>the cold period depends from the global retention defined in frozenTimePeriodInSecs and from how long that buckets are hot and warm.</P> <P>Bye.<BR /> Giuseppe</P> Tue, 11 Jul 2017 11:01:26 GMT gcusello 2017-07-11T11:01:26Z https://community.splunk.com/t5/Getting-Data-In/Process-for-Data-retenetion-policies/m-p/350658#M64354 <P>Hi,</P> <P>I wanted to apply data retention policy on splunk enterprise for the first time (as of now this is default) as per below criteria.</P> <P>All indexes will have the last 12 months of data available for search "hot bucket" <BR /> After this, data will roll to the "warm bucket" for 3 months. <BR /> Then the "cold bucket" for 3 months. <BR /> After 18 months all incoming data is effectively irrecoverable from Splunk.</P> <P>This will be great of someone cloud share me how exactly this can be done and how to set the indexes.conf.</P> <P>-Thanks</P> Tue, 20 Jun 2017 05:03:58 GMT https://community.splunk.com/t5/Getting-Data-In/Process-for-Data-retenetion-policies/m-p/350658#M64354 splunkgk 2017-06-20T05:03:58Z https://community.splunk.com/t5/Getting-Data-In/Process-for-Data-retenetion-policies/m-p/350659#M64355 <P>Hi splunkgk,<BR /> roll from hot to warm bucket doesn't move logs so it isn't a good idea to have large hot buckets (see <A href="http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/HowSplunkstoresindexes">http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/HowSplunkstoresindexes</A> ).<BR /> Anyway, parameters to roll buckets are described in <A href="https://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Indexesconf">https://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Indexesconf</A></P> <P>Bye.<BR /> Giuseppe</P> Tue, 20 Jun 2017 11:52:47 GMT https://community.splunk.com/t5/Getting-Data-In/Process-for-Data-retenetion-policies/m-p/350659#M64355 gcusello 2017-06-20T11:52:47Z https://community.splunk.com/t5/Getting-Data-In/Process-for-Data-retenetion-policies/m-p/350660#M64356 <P>HI Giuseppe, Thanks for reply. I have gone though the settings and a question here, I have around 8 indexes which are configured in my "search" app located under /SPLUNLK_HOME/etc/apps/search/local/indexes.conf. My question here is how do i set rolling parameter which should effect on all indexes. </P> <P>Or is that i need to add a parameter in indivisual [index] blocks in each apps?</P> <P>I want to apply the above criteria (Base question) on indexes in all my apps globally. Could you please suggests me where can i teak the settings?</P> <P>-thanks</P> Wed, 21 Jun 2017 09:13:02 GMT https://community.splunk.com/t5/Getting-Data-In/Process-for-Data-retenetion-policies/m-p/350660#M64356 splunkgk 2017-06-21T09:13:02Z https://community.splunk.com/t5/Getting-Data-In/Process-for-Data-retenetion-policies/m-p/350661#M64357 <P>Hi splunkgk,<BR /> I usually put my indexes.conf in a dedicated App, but it depends by architecture: e.g. a clustered architecture requires that indexes are managed by Master Node and I prefer to have only one indexes.conf, instead, if you have more than one Indexer, you could manage them deploying a TA (containing indexes.conf) by Deployment Server; if instead you have a Stand Alone server, maybe it's simpler to insert indexes.conf in each App, it's your own approach.</P> <P>Anyway, these Parameters must be modified in each stanza of indexes.conf files.</P> <P>Bye.<BR /> Giuseppe</P> Wed, 21 Jun 2017 09:47:02 GMT https://community.splunk.com/t5/Getting-Data-In/Process-for-Data-retenetion-policies/m-p/350661#M64357 gcusello 2017-06-21T09:47:02Z https://community.splunk.com/t5/Getting-Data-In/Process-for-Data-retenetion-policies/m-p/350662#M64358 <P>Hi Giuseppe, Thank your your reply.<BR /> My current architecture is stand alone server and i do not have a clustered index. indexes.conf are placed in individual app folder under /SPLUNK_HOME/etc/apps/search/local/indexes.conf.</P> <P>Here is below my one of index which is a having large data under "search" app.</P> <P>[index_name]<BR /> coldPath = $SPLUNK_DB/index_name/colddb<BR /> homePath = $SPLUNK_DB/index_name/db<BR /> thawedPath = $SPLUNK_DB/index_name/thaweddb<BR /> maxTotalDataSizeMB = 750000</P> <P>so I would like to apply data retention on this index as mentioned in the question as (roll must happen as HOT Bucket =12 months, WARM bucket= 3 months and COLD bucket= 3 months, over the period of 18 months data must not reside on splunk volume)</P> <P>is the below setting need to set on each of indexes.conf on each apps?<BR /> maxHotIdleSecs = 31536000( as i wanted to retain 12 months of data in HOT bucket)<BR /> maxWarmDBCount = 300<BR /> frozenTimePeriodInSecs = 7884000 (90 days in sec, cold to frozen)<BR /> coldToFrozenDir = /archive/myindex ( after 90 days, index goes here)</P> <P>Thanks,</P> Tue, 29 Sep 2020 14:37:43 GMT https://community.splunk.com/t5/Getting-Data-In/Process-for-Data-retenetion-policies/m-p/350662#M64358 splunkgk 2020-09-29T14:37:43Z https://community.splunk.com/t5/Getting-Data-In/Process-for-Data-retenetion-policies/m-p/350663#M64359 <P>Hi Giuseppe,</P> <P>is the below setting in /SPLUNK_HOME/etc/system/local/indexes.conf will works on all of my current indexes which are stored in /SPLUNK_HOME/var/lib/splunk?</P> <P>[default]<BR /> frozenTimePeriodInSecs = 31536000 [1 year]<BR /> enableTsidxReduction = true<BR /> timePeriodInSecBeforeTsidxReduction = 345600 [4 days]</P> <P>Or should i copy this stanza in individual indexes ?</P> <P>One thing I should take care that, The data must be stay in cold bucket for 3 months before this rolled to FREEZE.</P> <P>How do make sure the above retention policy works with my criteria</P> <P>-Thanks</P> Tue, 29 Sep 2020 14:49:47 GMT https://community.splunk.com/t5/Getting-Data-In/Process-for-Data-retenetion-policies/m-p/350663#M64359 splunkgk 2020-09-29T14:49:47Z https://community.splunk.com/t5/Getting-Data-In/Process-for-Data-retenetion-policies/m-p/350664#M64360 <P>Hi splunkgk,<BR /> you have to put your options in every indexes.conf stanzas.</P> <P>I don't like to have a so large hot area because hot buckets are written and read at the same time, instead warm buckets are only read and this is more efficient in searches (see <A href="http://docs.splunk.com/Documentation/Splunk/6.6.2/Indexer/HowSplunkstoresindexes">http://docs.splunk.com/Documentation/Splunk/6.6.2/Indexer/HowSplunkstoresindexes</A> ).</P> <P>the cold period depends from the global retention defined in frozenTimePeriodInSecs and from how long that buckets are hot and warm.</P> <P>Bye.<BR /> Giuseppe</P> Tue, 11 Jul 2017 11:01:26 GMT https://community.splunk.com/t5/Getting-Data-In/Process-for-Data-retenetion-policies/m-p/350664#M64360 gcusello 2017-07-11T11:01:26Z