Deployment Architecture

What Should I Expect After Implementing A Retirement Policy?



I'm looking for advice\info on how retirement polices work in practice. Based on this document, I set a retirement policy for 1 index to start with to remove data older than 2 years. I set it to:
frozenTimePeriodInSecs = 63072000

What can I expect after doing this? I have seen the number of events in one index go down from 429 million to 421 million. But there are still events older than two years.

Is there a process or log that shows the retirement activity--such has how many events were removed on a particular day\week\month?

I presume the index itself will not be reduced in size, just the number of events. Is that correct?

If the index does not shrink, will new events fill up the white space made available by retired events? Or will the index continue to grow? (I have two conflicting goals--I don't want to run out of disk space but I have a compliance requirement to keep events for a certain period of time. Otherwise, I would set a maximum size on the indexes.

Thanks in advance.

0 Karma

Revered Legend

Data retirement policies doesn't work on per event basis, instead it works on data buckets for that index. It'll only delete, cold stage, buckets only when the latest event in that bucket is older than the set frozenTimePeriodInSecs . (say in a bucket you've data with _time ranging from 10/04/2015 to 11/18/2015, that bucket won't be deleted because the latest event on the bucket, 11/18/2015 is not older than 2 years from now, even though it contains other events which are older).

I would suggest a read of this to understand the retention policies better.

0 Karma


Thanks for the comment. Yes, that's the document I tried to link but it didn't take for some reason.

Your explanation of buckets and the time ranges makes sense. Thanks again.

0 Karma
Get Updates on the Splunk Community!

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...

Observability Cloud | AWS PrivateLink Enabled for Splunk Observability Cloud

We’ve enabled AWS PrivateLink for Observability Cloud, giving you an additional inbound connection to send ...

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

September 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...