Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I configure and enforce a 6 month data retention policy?

andrewtrobec
Motivator
‎06-26-2019 04:29 AM

Hello,

I am trying to configure a 6 month data retention policy in which data has to be deleted from an index 180 days after it has been indexed. Since buckets are defined based on the _time attribute of each event, _time is associated to the index time.

Now I know that buckets only get rolled once the newest event reaches the threshold, so it is important for me to configure one bucket per day so that I will always be sure to delete all data indexed on a given day on the 180th day

What I have so far in my indexes.conf for my index named retention is the following:

[retention]
coldPath = $SPLUNK_DB/retention/colddb
homePath = $SPLUNK_DB/retention/db
maxDataSize = 150 (this is set to the expected data consumption per day)
maxHotSpanSecs = 86400 (set to 1 day so that a bucket will be created per day)
maxTotalDataSizeMB = 27000 (set to 150 expected per day x 30 days per month x 6 months)
frozenTimePeriodInSecs = 15552000‬ (6 month retention before being frozen)

Would this be the correct configuration for my index? Is there some other parameter that I am missing?

Thanks!

Andrew

0 Karma
Reply

viewsmart
New Member
‎12-15-2019 02:48 AM

Your configuration looks correct. However, you've given no room for error margins, specifically with the frozenTimePeriodInSecs.
If you are using NTP within your environment, the protocol might experience errors, resulting in unexpecting behavior such as the deletion of your index data.

I'll advice you to increase the frozenTimePeriodInSecs above 6 months and allow the maxTotalDataSizeMB rule to enforce your retention policy.

0 Karma
Reply

snowmizer
Communicator
‎06-26-2019 05:38 AM

frozenTimePeriodInSecs will force your retention settings on your index. In this case you are correct that your settings will force the data to roll off after 6 months.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...