Re: Data Archiving and Retirement

zachantinelling · ‎05-19-2020

I am trying to configure a new instance of splunk, my requirements for data retention are:

Searchable 14 days
Archive 5 years

I have configured the indexes.conf as below for my index:

coldtofrozendir = $SPLUNK_DB/defaultdb/frozendb
frozentimeperiodinsecs = 1209600

According to the "Set a retirement and archiving policy" and "indexes.conf" documentation on splunk docs, the settings i've configured should roll the buckets to my frozen directory when the events are two weeks old and leave them there for me to handle.

However - myself and the sales engineer are stumped as to why the events in the hot bucket are still over 3 months old. Have we read the documentation correctly? Your input is greatly appreciated.

Thank you!

richgalloway · ‎05-19-2020

Your hot buckets are not rolling, probably because they're not filling up. Try setting maxHotSpanSecs=86400 to force them to roll to warm after a day.

---
If this reply helps you, Karma would be appreciated.

zachantinelling · ‎05-21-2020

Thanks for your reply Rich. Looks like this worked and it is now rolling the data to my frozen bucket. I have also set frozentimeperiodinsecs = 1209600 but yet the data in my hot/warm bucket is still aged as far back as 7 months and I don't have any data being rolled into the cold buckets. Any idea why this would be happening?

richgalloway · ‎05-26-2020

No. Sorry.

---
If this reply helps you, Karma would be appreciated.

Data Archiving and Retirement

other

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio