Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Data Archiving and Retirement

zachantinelling
Explorer
‎05-19-2020 04:48 PM

I am trying to configure a new instance of splunk, my requirements for data retention are:

Searchable 14 days
Archive 5 years

I have configured the indexes.conf as below for my index:

coldtofrozendir = $SPLUNK_DB/defaultdb/frozendb
frozentimeperiodinsecs = 1209600

According to the "Set a retirement and archiving policy" and "indexes.conf" documentation on splunk docs, the settings i've configured should roll the buckets to my frozen directory when the events are two weeks old and leave them there for me to handle.

However - myself and the sales engineer are stumped as to why the events in the hot bucket are still over 3 months old. Have we read the documentation correctly? Your input is greatly appreciated.

Thank you!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-19-2020 05:44 PM

Your hot buckets are not rolling, probably because they're not filling up. Try setting maxHotSpanSecs=86400 to force them to roll to warm after a day.

---
If this reply helps you, Karma would be appreciated.
Reply

zachantinelling
Explorer
‎05-21-2020 11:03 AM

Thanks for your reply Rich. Looks like this worked and it is now rolling the data to my frozen bucket. I have also set frozentimeperiodinsecs = 1209600 but yet the data in my hot/warm bucket is still aged as far back as 7 months and I don't have any data being rolled into the cold buckets. Any idea why this would be happening?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-26-2020 05:30 AM

No. Sorry.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...