Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How I can set 35 days data retention period for an index?

anil15694
Explorer
‎08-30-2020 05:11 AM

Hi,

I have set 35 days of data retention for an index but data is available for 288 days. The daily average licence uses by the index is approx 60 GB.

Below is the current setting:

frozenTimePeriodInSecs = 3024000

maxDataSize = auto_high_volume

maxTotalDataSizeMB = 1500000

 

How I can modify indexes.conf to maintain the 35 days data retention policy.

Thanks.

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-30-2020 07:16 AM

As bucket has moved to frozen when all events in this bucket has older than frozenTimePeriodInSecs, this usually means that you have some older event in those buckets. Otherwise those have already frozen and removed. Maybe you have just added this data source and/or someone has added there (e.g. restored from backups) some older files which match your collecting criterias.

Basically you just waiting that those all events in those buckets have older than 35 days and then those will deleted. 

r. Ismo

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎08-30-2020 06:52 AM

not recommended but still to have strict retentionperiod 
set below maxHotSpanSecs to 1 day. 

https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Indexesconf

maxHotSpanSecs = <positive integer>
* Upper bound of timespan of hot/warm buckets, in seconds.
* This is an advanced setting that should be set
  with care and understanding of the characteristics of your data.
* Splunkd applies this limit per ingestion pipeline. For more
  information about multiple ingestion pipelines, see
  'parallelIngestionPipelines' in the server.conf.spec file.
* With N parallel ingestion pipelines, each ingestion pipeline writes to
  and manages its own set of hot buckets, without taking into account the state
  of hot buckets managed by other ingestion pipelines. Each ingestion pipeline
  independently applies this setting only to its own set of hot buckets.
* If you set 'maxHotBuckets' to 1, splunkd attempts to send all
  events to the single hot bucket and does not enforce 'maxHotSpanSeconds'.
* If you set this setting to less than 3600, it will be automatically
  reset to 3600.
* NOTE: If you set this setting to too small a value, splunkd can generate
  a very large number of hot and warm buckets within a short period of time.
* The highest legal value is 4294967295.
* NOTE: the bucket timespan snapping behavior is removed from this setting.
  See the 6.5 spec file for details of this behavior.
* Default: 7776000 (90 days)


 

————————————
If this helps, give a like below.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...