Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

can we change index retention at any time?

AzmathShaik
Path Finder
‎10-05-2017 09:29 AM

Hello All,

we have multisite cluster environment running our current retention is set to default, can we change our retention now, is it suggested to do? what will be the impact.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎10-05-2017 09:39 AM

Yes, you can change retention settings for your indices at any time. If you reduce it, Splunk will start rolling off data based on your index configuration.
If you increase it, buckets will be kept longer, according to new retention settings. In this case, make sure you have enough storage across your indexing tier to maintain the longer data retention.

Impact:
- the change requires a rolling restart of your cluster
- if you decrease retention, Splunk will process all buckets to determine which ones should now be archived/deleted. This may take a while, but should not have material impact on indexing and search otherwise

View solution in original post

Reply
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎10-05-2017 09:39 AM

Yes, you can change retention settings for your indices at any time. If you reduce it, Splunk will start rolling off data based on your index configuration.
If you increase it, buckets will be kept longer, according to new retention settings. In this case, make sure you have enough storage across your indexing tier to maintain the longer data retention.

Impact:
- the change requires a rolling restart of your cluster
- if you decrease retention, Splunk will process all buckets to determine which ones should now be archived/deleted. This may take a while, but should not have material impact on indexing and search otherwise

Reply
Solved! Jump to solution

AzmathShaik
Path Finder
‎10-05-2017 09:41 AM

Thank you.

0 Karma
Reply
Solved! Jump to solution

evgenyvasilchen
Explorer
‎02-23-2018 01:21 PM

If we decrease retention - shall this free some disk space?
For example - we have accumulated data for 5 years and now want to set max. retention time to 2 years.
So, if we will set frozenTimePeriodInSecs to two years - will that remove any older buckets off the disk?

Thanks!

0 Karma
Reply
Solved! Jump to solution

dxu_splunk
Splunk Employee
Splunk Employee
‎02-24-2018 08:06 PM

^ yes it will. it'll likely use a lot of resources free'ing up so many buckets upon the first restart.

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...