Re: Data Archiving and Retirement

zachantinelling · ‎05-19-2020

I am trying to configure a new instance of splunk, my requirements for data retention are:

Searchable 14 days
Archive 5 years

I have configured the indexes.conf as below for my index:

coldtofrozendir = $SPLUNK_DB/defaultdb/frozendb
frozentimeperiodinsecs = 1209600

According to the "Set a retirement and archiving policy" and "indexes.conf" documentation on splunk docs, the settings i've configured should roll the buckets to my frozen directory when the events are two weeks old and leave them there for me to handle.

However - myself and the sales engineer are stumped as to why the events in the hot bucket are still over 3 months old. Have we read the documentation correctly? Your input is greatly appreciated.

Thank you!

richgalloway · ‎05-19-2020

Your hot buckets are not rolling, probably because they're not filling up. Try setting maxHotSpanSecs=86400 to force them to roll to warm after a day.

---
If this reply helps you, Karma would be appreciated.

zachantinelling · ‎05-21-2020

Thanks for your reply Rich. Looks like this worked and it is now rolling the data to my frozen bucket. I have also set frozentimeperiodinsecs = 1209600 but yet the data in my hot/warm bucket is still aged as far back as 7 months and I don't have any data being rolled into the cold buckets. Any idea why this would be happening?

richgalloway · ‎05-26-2020

No. Sorry.

---
If this reply helps you, Karma would be appreciated.

Data Archiving and Retirement

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation