Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to force retention time pruning

hartfoml
Motivator
‎02-06-2017 05:24 AM

I have my frozen time set like this frozenTimePeriodInSecs = 47304000 (1.5 years)
yet when I do this search 

| metadata index=foo type=hosts | stats max(lastTime) as lastTime, min(firstTime) as firstTime | convert ctime(*Time)

my "firstTime" is more than two years from my "lastTime"

lastTime               firstTime
02/06/2017 07:10:40     01/16/2015 09:18:53

this is more than 2 years of data.
How can I force retention time pruning or find out why pruning it not running correctly?

0 Karma
Reply

ddrillic
Ultra Champion
‎02-06-2017 06:38 AM

So, it's interesting to find out what the value of maxHotSpanSecs is now and what it was 1.5 years ago, because its default value of 1 day in seconds, enforces rotation of the bucket on a daily basis. Keep in mind that this value for a slow growing index can produce lots of small buckets...

0 Karma
Reply

twinspop
Influencer
‎02-06-2017 06:47 AM

I'm not sure about that default. On all my 6.5.1 systems, the default is 7776000, which is 90 days.

0 Karma
Reply

ddrillic
Ultra Champion
‎02-06-2017 06:49 AM

Really interesting, because I'm pretty sure on older versions it was a day...

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-06-2017 05:53 AM

Hi hartfoml,
events deletion is related to buckets time period: a bucket is deleted when the latest bucket's event is out of the retention period, it isn't possible to force the bucket's deletion.

Bye.
Giuseppe

0 Karma
Reply

hartfoml
Motivator
‎02-06-2017 06:57 AM

Giuseppe, @cusello Thanks for the response. I have the retention set to 1.5 years and there is more than 2 years of data. This is a high volume index "Firewall" logs. Since I have 2 yeas worth of data, bucket data would have to span more than 6 moths in order not to be deleted in the 1.5 year time frame. this seems unlikely to me.

I wish there was a way of looking into the buckets to see which ones should be removed and are not being removed.

Thanks for your response.

0 Karma
Reply

ddrillic
Ultra Champion
‎02-06-2017 07:00 AM

You see, each bucket has two epoch time stamps, in their file name, which define their time interval. So, you can check them on the file system.

0 Karma
Reply

twinspop
Influencer
‎02-06-2017 07:00 AM

Have you checked the old events? Do their timestamps match their index time? In other words, are they reporting as 2 years old for LOG TIME, but they were actually indexed more recently?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...