Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Culling older events in an index

charlesslover
Engager
‎06-07-2018 12:39 PM

Yello! So I'm trying to remove events in a specific index older than a year, and all the references I've found so far, such as the primary link to the retention policy setting page (http://docs.splunk.com/Documentation/Splunk/6.6.3/Indexer/Setaretirementandarchivingpolicy) have told me the same thing. I am pretty sure I'm following the directions correctly, but it's not working.

The indexes.conf in etc/system/local is as below:

[datindextho]
coldPath = $SPLUNK_DB\datindextho\colddb
homePath = $SPLUNK_DB\datindextho\db
frozenTimePeriodInSecs = 31536000
thawedPath = $SPLUNK_DB\datindextho\thaweddb

The index is currently showing events from two years ago. I want to cut everything back to maximum one year. So far setting it this way and restarting Splunk has not caused the index to be reduced. Do I need more information in this stanza? Thank you all for your help!

Tags (1)
0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎06-07-2018 12:51 PM

If you have a bucket that has events from two years ago that also has events from 364 days or less ago in the same bucket, then the events will remain there until the entire bucket is more than 1 year old. It only ages out buckets, so if you have a bucket that has events from today and 2 years ago, with a retention of one year, then the two year old events will still be there until they are 3 years old. You can delete events, bug that only makes them not visible. there will be no free disk space from a delete unless all the data in the bucket is beyond the retention period. USE delete cautiously (and it usually requires changing the admin role to include that capability).

Reply

charlesslover
Engager
‎06-07-2018 12:53 PM

Thanks! I didn't know that buckets could contain events with such varying dates. 😞

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎06-07-2018 02:36 PM

There is a way to specify that the events not be outside a range, but by default the above is what you have to deal with.

If you have found this has answered your question you can accept the answer so that in the future others will know that the question has been answered when they are searching.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...