Archive2

How do I find out how long I am retaining data?

Path Finder

I am trying to do some planning for future growth of our Splunk environment, and as part of that, I need to find out how long I am retaining data with our current disk space. Is there a command or somewhere I can check to find out how old my oldest indexed data is? For obvious reasons, I'd rather not do a search over All Time on host names to accomplish this. We are on 4.05

Thanks.

Tags (1)
1 Solution

Champion

In SplunkUI, go to Manager >> Indexes as an Admin user. The "Earliest Event" column will tell this.

View solution in original post

Splunk Employee
Splunk Employee

Note that we retire data bucket-at-time, by the by the leading edge of the bucket, so in cases where your data is ragged you may have to inspect the data bucket by bucket to see where the leading edge is.

You can do this by running dir on the index directories and decoding the unix epoch time numbers, or by using the dbinspect command, eg

splunk> |dbinspect index=main span=1d |tail 40

This tells you for the oldest 40 days in your index, which buckets have that data. At the point where your oldest bucket stops being represented, that's this value. Change the span and tail values to suit.

0 Karma
Reply

Champion

In SplunkUI, go to Manager >> Indexes as an Admin user. The "Earliest Event" column will tell this.

View solution in original post

Splunk Employee
Splunk Employee

You can also run | dbinspect index=xxx timeformat="%s" | stats min(earliestTime),max(latestTime) | convert ctime(*Time). This does not run in distributed mode though. You can also get this information in distributed mode with |metadata type=sourcetypes | stats min(firstTime),max(lastTime) | convert ctime(*Time)

0 Karma
Reply

Path Finder

perfect! I completely forgot that data was there. Thank you!

0 Karma
Reply