Deployment Architecture

How to delete data older than X number of days Manually

Path Finder

Hello,

I got a problem, I dont have space anymore and I want to delete data thats older than X days manually,
I've tried:
frozenTimePeriodInSecs = 2592000
but SPLUNK is not deleting it.
I cant search anymore because I have no disk space anymore so what can I do?

0 Karma
1 Solution

Contributor

Hi all,

well "| delete" will not delete it but only mark it as deleted. It will not give you any space back on filesystem. The much better way is using frozenTimePeriodInSecs. Are you sure that you restarted your indexers. verify with splunk btool indexes list INDEXNAME --debug that setting is really applied. should work.

Regards,

Andreas

View solution in original post

Contributor

Hi all,

well "| delete" will not delete it but only mark it as deleted. It will not give you any space back on filesystem. The much better way is using frozenTimePeriodInSecs. Are you sure that you restarted your indexers. verify with splunk btool indexes list INDEXNAME --debug that setting is really applied. should work.

Regards,

Andreas

View solution in original post

Path Finder

Hi @schose,

I tried "frozenTimePeriodInSecs = x secs" parameter. but Instead of deleting the data from disk, it deleted the tsidx files and moved the raw data files to frozen directory.

Any idea on how can I permanently remove that data from disk?

0 Karma

Champion

@schose,
so, after marking some data as deleted thru "delete" command, how can we claim the filesystem space?!?!

0 Karma

Contributor

there is no way. you have to fade it out using frozenTimePeriodInSecs or reindex the data.

0 Karma

Path Finder

I've found this:

[main]
frozenTimePeriodInSecs = 15778800
etc.

But if I do splunk btool indexes list, I see multiple frozenTimePeriodInSecs lines, so did I put it in the proper file?

P.S. Sorry but i'm really new to SPLUNK so sorry if im asking dumb questions.

0 Karma

Contributor

Hi, we are all starting at a certain point.. in which index you want to delete the "old data"? if you are running splunk btool indexes list INDEXNAME --debug and replace INDEXNAME with the name of your index you want to delete the data from you will see the frozenTimePeriodInSecs from the configfile splunk is using. never edit any indexes.conf in a default directory, until you are really sure you know what you are doing.
you can create a etc/system/local/indexes.conf file and create stanza

[myindex]
frozenTimePeriodInSecs = 7200

this will keep data in the index for 2 hours,

regards,

Andreas

Path Finder

Ahh okey thanks 🙂

I got it now, appreciate the help!

Regards,

Nick

0 Karma

Champion

I think, that settings will be only for new datas. you can search and delete it -
Your-index earliest=older-date latest=old-date |delete
NOTE - indexed data deletion is irreversible.

Path Finder

As I said unfortunately I cant search anymore, If I want to search, I get this error : Search not executed: The minimum free disk space (50MB) reached for /opt/data/splunk/var/run/splunk/dispatch

0 Karma

Champion

oh ok, i thought this issue, then answered above without a cross-thought.
i am not sure, maybe, try to delete using splunk CLI commandline, if possible.

0 Karma