Frozen Time Period in seconds based on Sourcetype

Dark_Ichigo · ‎10-31-2012

Why cant I choose a source type of an index instead of the whole index to move my index data from the specific source type chosen to the frozen bucket?

I dont want to move all of the index, I just want to chose a specific source type within that index to be moved to a cold or frozen bucket at a given specified time.

dwaddle · ‎10-31-2012

The smallest index unit is a bucket. Sourcetypes are really just a "descriptive marker" on events within a bucket. You cannot choose different expiry periods for different sourcetypes in a bucket because Splunk's architecture is just not designed that way.

You can always file an enhancement request asking for this type of functionality. But, it breaks some pretty foundational tenets of how Splunk indexes work.

yannK · ‎10-31-2012

Segregate your data in multiple indexes based on the sourcetype. And then specify different retentions per index.

Dark_Ichigo · ‎10-31-2012

What do you reckon would be an alternative then in this case, how can I be able to specify this with Splunks current functionalists..

Frozen Time Period in seconds based on Sourcetype

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...