I have a 6.x environment and I want to configure splunk to only retain the last 30 days worth of data. How do I configure this for each indexer. I have 315 GB per indexer. I have 5 indexers. I only want to retain the last 30 days of data on each indexer. I see data files in my indexers(db) that are from 2014 and 2015 in this directory path - /opt/tools/splunk/var/lib/splunk. I setup two indexes, but I also see quite a bit data files in the defaultdb.
You can use the
speaks about it... something like -
[90day_index] frozenTimePeriodInSecs = 7776000 [forever_index] frozenTimePeriodInSecs = 188697600
Have look at SPlunk doc for this
Since you've limited/smaller space then splunk's default index size 500,000MB, I would suggest to set both maxTotalDataSizeMB and frozenTimePeriodInSecs.