Deployment Architecture

How to delete data older than X number of days Manually

nickbijmoer
Path Finder

Hello,

I got a problem, I dont have space anymore and I want to delete data thats older than X days manually,
I've tried:
frozenTimePeriodInSecs = 2592000
but SPLUNK is not deleting it.
I cant search anymore because I have no disk space anymore so what can I do?

0 Karma
1 Solution

schose
Builder

Hi all,

well "| delete" will not delete it but only mark it as deleted. It will not give you any space back on filesystem. The much better way is using frozenTimePeriodInSecs. Are you sure that you restarted your indexers. verify with splunk btool indexes list INDEXNAME --debug that setting is really applied. should work.

Regards,

Andreas

View solution in original post

schose
Builder

Hi all,

well "| delete" will not delete it but only mark it as deleted. It will not give you any space back on filesystem. The much better way is using frozenTimePeriodInSecs. Are you sure that you restarted your indexers. verify with splunk btool indexes list INDEXNAME --debug that setting is really applied. should work.

Regards,

Andreas

jet1276
Path Finder

Hi @schose,

I tried "frozenTimePeriodInSecs = x secs" parameter. but Instead of deleting the data from disk, it deleted the tsidx files and moved the raw data files to frozen directory.

Any idea on how can I permanently remove that data from disk?

0 Karma

inventsekar
SplunkTrust
SplunkTrust

@schose,
so, after marking some data as deleted thru "delete" command, how can we claim the filesystem space?!?!

0 Karma

schose
Builder

there is no way. you have to fade it out using frozenTimePeriodInSecs or reindex the data.

0 Karma

nickbijmoer
Path Finder

I've found this:

[main]
frozenTimePeriodInSecs = 15778800
etc.

But if I do splunk btool indexes list, I see multiple frozenTimePeriodInSecs lines, so did I put it in the proper file?

P.S. Sorry but i'm really new to SPLUNK so sorry if im asking dumb questions.

0 Karma

schose
Builder

Hi, we are all starting at a certain point.. in which index you want to delete the "old data"? if you are running splunk btool indexes list INDEXNAME --debug and replace INDEXNAME with the name of your index you want to delete the data from you will see the frozenTimePeriodInSecs from the configfile splunk is using. never edit any indexes.conf in a default directory, until you are really sure you know what you are doing.
you can create a etc/system/local/indexes.conf file and create stanza

[myindex]
frozenTimePeriodInSecs = 7200

this will keep data in the index for 2 hours,

regards,

Andreas

nickbijmoer
Path Finder

Ahh okey thanks 🙂

I got it now, appreciate the help!

Regards,

Nick

0 Karma

inventsekar
SplunkTrust
SplunkTrust

I think, that settings will be only for new datas. you can search and delete it -
Your-index earliest=older-date latest=old-date |delete
NOTE - indexed data deletion is irreversible.

nickbijmoer
Path Finder

As I said unfortunately I cant search anymore, If I want to search, I get this error : Search not executed: The minimum free disk space (50MB) reached for /opt/data/splunk/var/run/splunk/dispatch

0 Karma

inventsekar
SplunkTrust
SplunkTrust

oh ok, i thought this issue, then answered above without a cross-thought.
i am not sure, maybe, try to delete using splunk CLI commandline, if possible.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...