Deployment Architecture

Data storage retention for 30 days of data

Explorer

I have a 6.x environment and I want to configure splunk to only retain the last 30 days worth of data. How do I configure this for each indexer. I have 315 GB per indexer. I have 5 indexers. I only want to retain the last 30 days of data on each indexer. I see data files in my indexers(db) that are from 2014 and 2015 in this directory path - /opt/tools/splunk/var/lib/splunk. I setup two indexes, but I also see quite a bit data files in the defaultdb.

0 Karma

Ultra Champion

You can use the frozenTimePeriodInSecsconfig variable.

How is frozenTimePeriodInSecs applied?

speaks about it... something like -

     [90day_index]
     frozenTimePeriodInSecs = 7776000

     [forever_index]
     frozenTimePeriodInSecs = 188697600
0 Karma

SplunkTrust
SplunkTrust

Have look at SPlunk doc for this

http://docs.splunk.com/Documentation/Splunk/6.2.6/Indexer/Setaretirementandarchivingpolicy#Set_attri...

Since you've limited/smaller space then splunk's default index size 500,000MB, I would suggest to set both maxTotalDataSizeMB and frozenTimePeriodInSecs.

0 Karma

SplunkTrust
SplunkTrust

Try this answer: https://answers.splunk.com/answers/389658/what-will-break-if-i-set-coldpath-to-devnull.html

---
If this reply helps you, an upvote would be appreciated.
0 Karma