Getting Data In

How to configure Splunk that data from all buckets (incl. frozen) older than a certain time are automatically deleted?

ddlliinn
New Member

According to documentation:

The maxTotalDataSizeMB and frozenTimePeriodInSecs attributes in indexes.conf help determine when buckets roll from cold to frozen, allowing you to configure data retention policy.
Data retention policy is applied only on Cold buckets. If maxTotalDataSizeMB is reached before frozenTimePeriodInSecs, data will be rolled to frozen before the configured time period has elapsed.
maxDataSize defines maximum size in MB for a hot DB to reach before a roll to warm is triggered. You should use "auto_high_volume" for high-volume indexes (such as the main index); otherwise, use "auto". A "high volume index" would typically be considered one that gets over 10GB of data per day.

In our environment, we have the following configuration for main index.

[main]
homePath = $SPLUNK_DB/defaultdb/db
coldPath = $SPLUNK_DB/defaultdb/colddb
thawedPath = $SPLUNK_DB/defaultdb/thaweddb
tstatsHomePath = volume:_splunk_summaries/defaultdb/datamodel_summary
maxMemMB = 20
maxConcurrentOptimizes = 6
maxHotIdleSecs = 86400
maxHotBuckets = 10
maxDataSize = auto_high_volume

and the following default values

frozenTimePeriodInSecs = 94348800 (3 years)
maxTotalDataSizeMB = 500000 (500G - default)

My main index size is 341.26 GB, so i would expect the frozenTimerPeriodInSecs to be applied.

However, the earliest event described on main index details page is aged back in 2014-03-13 18:58:01+0000.
Since it is the main index we have also the maxDataSize set to auto_high_volume, although the index gets aprox 1G data/day.
Could you please advise what could be wrong or misconfigured and the retention policy cannot be applied and data is not deleted?
Thank you in advance,

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ddlliinn,
if you configure a value for the retention of all your indexes and you haven't a script to execute after Cold state, all the buckets with all events older than the retention value will be deleted.
If in a buchet you have all the events older than retention except one, bucket will not be deleted until the latest event exceeds the retention period.
If you have events older than retention period, surely they are in a bucket with events after the retention period.

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...