Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I expire a bucket with future events?

I_am_Jeff
Communicator
‎08-12-2013 11:26 AM

I realize buckets die off as the newest event surpasses the expiration date. I also understand that deleting events do not remove the events, simply mask them from appearing in search results.

My question is, do deleted events count when Splunk decides on when to expire a bucket file? In other words, does deleting an event remove it from Splunk's calculations for expiration? I am looking for a way to manage an index corrupted with future events, other than manually deleting very old files manually, when the time comes. The other events in the index are valid and needed.

I am using Splunk version 4.3.4, soon to be upgraded to version 5.x.

This is related to my Splunk-Base "How do i configure an index to manage future events" question. An answer here or there may solve both.

Please correct me if I misunderstand anything and thanks for the help!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎08-12-2013 12:50 PM

I think that deleting events will not affect how a bucket is frozen. I believe that the only parameter involved in that decision is the timestamp in the name of the directory where the data is stored. For each bucket directory the naming convention is;

db_newestTimestamp_oldestTimeStamp_sequenceNo

I don't think that Splunk will change the name of the bucket when data is deleted.

/k

View solution in original post

Reply
Solved! Jump to solution

I_am_Jeff
Communicator
‎08-13-2013 02:57 PM

Kristian, convert your comment to an answer and I'll accept.

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎08-12-2013 02:17 PM

Kristian is right. Splunk cannot manage buckets on an event by event basis. You can use an epoch time converter to check the timestamps on your buckets: www.epochconverter.com/

Reply
Solved! Jump to solution

I_am_Jeff
Communicator
‎08-12-2013 12:58 PM

Good point! Perhaps there is a search that I can run to identify the buckets I'd need to manually handle after a couple of years?

0 Karma
Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎08-12-2013 12:50 PM

I think that deleting events will not affect how a bucket is frozen. I believe that the only parameter involved in that decision is the timestamp in the name of the directory where the data is stored. For each bucket directory the naming convention is;

db_newestTimestamp_oldestTimeStamp_sequenceNo

I don't think that Splunk will change the name of the bucket when data is deleted.

/k

Reply
Get Updates on the Splunk Community!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...