Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk index retention based on retention period only not size

Mag2sub
Path Finder
‎12-12-2013 09:40 AM

How do we ensure that only say 40 days of data is retained combined across all our buckets hot,warm,cold ....irrespective of incoming data size ..im not interested in 41st day data at any cost ...ie or is it a ballpark calculatioon that can be done based on sizing of these buckets ?

Apreciate pointers

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎12-12-2013 12:08 PM

FYI, data is not aged out on a per event basis, but on a per bucket basis.

Just be aware that a bucket does not roll to frozen (i.e. is deleted) until the newest event in the bucket is older than the retention limit.

/K

0 Karma
Reply

aelliott
Motivator
‎12-12-2013 09:41 AM

This information may assist you:
http://docs.splunk.com/Documentation/Splunk/6.0/Indexer/Setaretirementandarchivingpolicy

Reply

aelliott
Motivator
‎12-12-2013 12:13 PM

you could make maxTotalDataSizeMB a huge number (perhaps the maximum) and use frozenTimePeriodInSecs

Here is a post on this:
http://answers.splunk.com/answers/29126/maxtotaldatasizemb-max-value-or-0

0 Karma
Reply

Mag2sub
Path Finder
‎12-12-2013 12:11 PM

I guess what is not clear is
is effective delete(provided i dont have freeze dir setup) a combination of frozenTimePeriodInSecs and maxTotalDataSizeMB
or whichever comes first ...

.the idea being from my question if i just dont care my total data size and just need to drop 41st day data irrespective of index total size...i dont see a way in splunk to totally avoid "maxTotalDataSizeMB) and just put frozenTimePeriodInSecs...?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...