topic Re: Attempting to retire (delete) old data in Splunk Search

Attempting to retire (delete) old data

RNB — Tue, 28 Jun 2011 13:36:20 GMT

I would like to trim back on the amount of disk space being used. We have decided that we would like to keep about 18 months worth of data. We do not have to retain our data for any legislated period of time. Last week I added frozenTimePeriodInSecs = 46656000 to /opt/splunk/etc/system/local/indexes.conf.

I had assumed from the documentation that rotatePeriodInSecs = 60 in /opt/splunk/etc/system/default/indexes.conf would cause the move to frozen (delete) would start almost immediately after a restart. However, despite a restart, I still have data prior to 18 months ago.

What am I missing?

Re: Attempting to retire (delete) old data

dwaddle — Tue, 28 Jun 2011 14:17:04 GMT

Splunk will not freeze a bucket until the newest event in the bucket is older than frozenTimePeriodInSecs. Your buckets containing 18+ month old data could have just one event newer than that and it would be enough to keep the whole bucket alive. You could use the dbinspect search command to produce a report on the status of your various buckets. http://www.splunk.com/base/Documentation/latest/SearchReference/Dbinspect

You'd be looking for buckets where the latestTime is more than 46656000 seconds ago - those are the ones that should have rolled off by now.

Re: Attempting to retire (delete) old data

e2zippo — Mon, 04 Feb 2013 13:49:38 GMT

I'm having some trouble getting this to work as well,( I only want to save 6 months back)
I've created a indexes.conf and put it in

/splunk/etc/system/local/indexes.conf

And the only line in that file is

frozenTimePeriodInSecs = 15768000.

I've restarted splunk several times, but nothing happens.

What would be the easiest way to remove data older than six months and keep it that way based on what I've done?

Keep in mind I've barely touched Splunk, I just installed it.

Cheers!