Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Settings for 1year retention period

jkamdar
Communicator
‎07-29-2025 12:54 PM

I have this small Splunk Enterprise deployment in a lab that's air gapped.

So I setup this deployment about 18 months ago. Recently I noticed, I am not rolling any data. I want to set retention period of 1 year for all the data. After checking the configuration, looks like I have # of Hot buckets set to auto (which is 3 by default, I assume) but I don't find any Warm buckets. So, everything is in Hot buckets. I am looking at few settings maxHotSpanSecs, frozenTimePeriodInSecs and maxVolumeDataSizeMB, that should roll data to warm and then cold buckets eventually. 

Under /opt/splunk/etc/system/local/indexes.conf
maxHotSpanSecs is set to 7776000
frozenTimePeriodInSecs 31536000
maxVolumeDataSizeMB (not set)

Under /opt/splunk/etc/apps/search/indexs.conf
maxHotSpanSecs not set
frozenTimePeriodInSecs 31536000 (for all the indexes)
maxVolumeDataSizeMB (not set)

Shouldn't frozenTimePeriodInSecs take precedent?

Maybe, my maxVolumeDataSizeMB is set to too high. Do I need to change it? How do frozenTimePeriodInSecs and maxVolumeDataSizeMB affect each other? I thought frozenTimePeriodInSecs would override maxVolumeDataSizeMB

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkamdar
Communicator
4 weeks ago

Ok, I have set maxHotSpanSecs 86400. I am seeing lots of warm buckets now. With and frozenTimePeriodInSecs 31536000, I think, I am seeing results that I was hoping for.

Also, with the below search, I am seeing data being rolled to frozen as well.

index=_internal sourcetype=splunkd log_level=INFO component=BucketMover "freeze succeeded"

 

View solution in original post

Reply
Solved! Jump to solution
Solution

jkamdar
Communicator
4 weeks ago

Ok, I have set maxHotSpanSecs 86400. I am seeing lots of warm buckets now. With and frozenTimePeriodInSecs 31536000, I think, I am seeing results that I was hoping for.

Also, with the below search, I am seeing data being rolled to frozen as well.

index=_internal sourcetype=splunkd log_level=INFO component=BucketMover "freeze succeeded"

 

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-29-2025 02:05 PM

You say you found no warm buckets, but what about cold buckets?  Did you find any of those?

If you're not running out of disk space then maxVolumeDataSizeMB is not too high.

The current settings have buckets spanning 90 days.  Therefore, you should have 5 "generations" of buckets - 0-90 days (hot), 91-180 days, 181-270 days, 271-360 days, and 361-450 days.  That last one is because a bucket won't be frozen until *all* events in it exceed the retention time.

Set maxHotSpanSecs to 86400 so each bucket only contains a single day of data and retention should improve.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎07-29-2025 02:02 PM

Hi @jkamdar 

Due to having things defined in different places here, it might be best to run a btool to the exact configuration (including default values)

Please could you run:

$SPLUNK_HOME/bin/splunk cmd btool indexes list --debug <yourIndexName>

When you talk about buckets "not rolling" - do you mean from Hot->Warm, or Cold->Frozen?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Solved! Jump to solution

jkamdar
Communicator
‎07-30-2025 10:02 AM

Thanks @livehybrid and @richgalloway both suggestions are helpful. I was able to use btool to find what indexes.conf each index is using and then I did change  maxHotSpanSecs to the suggested # and I see more warm buckets. If this going to trigger data deletion that's over an year old, that's great, I will wait and see.

However, regardless what was set for maxHotSpanSecs, shouldn't frozenTimePeriodInSecs have triggered the expiration of data and delete? O

I sure am not clear how maxHotSpanSecs and frozenTimePeriodInSecs work together and affects the retention period. If one can explain, it would be great. 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-30-2025 11:10 AM

The frozenTimePeriodInSecs setting does not apply to hot buckets.  You should, however, see warm buckets once a hot bucket fills up or becomes 90 days old.  I can't explain why you don't.

---
If this reply helps you, Karma would be appreciated.
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...