Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Culling older events in an index

charlesslover
Engager
‎06-07-2018 12:39 PM

Yello! So I'm trying to remove events in a specific index older than a year, and all the references I've found so far, such as the primary link to the retention policy setting page (http://docs.splunk.com/Documentation/Splunk/6.6.3/Indexer/Setaretirementandarchivingpolicy) have told me the same thing. I am pretty sure I'm following the directions correctly, but it's not working.

The indexes.conf in etc/system/local is as below:

[datindextho]
coldPath = $SPLUNK_DB\datindextho\colddb
homePath = $SPLUNK_DB\datindextho\db
frozenTimePeriodInSecs = 31536000
thawedPath = $SPLUNK_DB\datindextho\thaweddb

The index is currently showing events from two years ago. I want to cut everything back to maximum one year. So far setting it this way and restarting Splunk has not caused the index to be reduced. Do I need more information in this stanza? Thank you all for your help!

Tags (1)
0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎06-07-2018 12:51 PM

If you have a bucket that has events from two years ago that also has events from 364 days or less ago in the same bucket, then the events will remain there until the entire bucket is more than 1 year old. It only ages out buckets, so if you have a bucket that has events from today and 2 years ago, with a retention of one year, then the two year old events will still be there until they are 3 years old. You can delete events, bug that only makes them not visible. there will be no free disk space from a delete unless all the data in the bucket is beyond the retention period. USE delete cautiously (and it usually requires changing the admin role to include that capability).

Reply

charlesslover
Engager
‎06-07-2018 12:53 PM

Thanks! I didn't know that buckets could contain events with such varying dates. 😞

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎06-07-2018 02:36 PM

There is a way to specify that the events not be outside a range, but by default the above is what you have to deal with.

If you have found this has answered your question you can accept the answer so that in the future others will know that the question has been answered when they are searching.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...