Getting Data In

How to increase log retention period for one of the indexes to one year?

hrithiktej
Communicator
[my_index]
coldPath = volume:primary/my_index/colddb
homePath = volume:primary/my_index/db
thawedPath = $SPLUNK_DB/my_index/thaweddb
frozenTimePeriodInSecs = 31536000
maxTotalDataSizeMB = 1000000

As per above configuration, data should be retained for 1 year if it does not exceed the maximum size (976.56 GB ) of the bucket.
Is this right?

0 Karma
1 Solution

mayurr98
Super Champion

hey, yes you are right

As per the doc

maxTotalDataSizeMB = <nonnegative integer>
* The maximum size of an index (in MB).
* If an index grows larger than the maximum size, the oldest data is frozen.
* This parameter only applies to hot, warm, and cold buckets.  It does not
  apply to thawed buckets.
* Highest legal value is 4294967295
* Defaults to 500000.

frozenTimePeriodInSecs = <nonnegative integer>
* Number of seconds after which indexed data rolls to frozen.
* If you do not specify a coldToFrozenScript, data is deleted when rolled to
  frozen.
* IMPORTANT: Every event in the DB must be older than frozenTimePeriodInSecs
  before it will roll. Then, the DB will be frozen the next time splunkd
  checks (based on rotatePeriodInSecs attribute).
* Highest legal value is 4294967295
* Defaults to 188697600 (6 years).

Have a look at this doc for more info.
http://docs.splunk.com/Documentation/Splunk/7.0.2/admin/Indexesconf

let me know if this helps!

View solution in original post

0 Karma

ddrillic
Ultra Champion

-- if it does not exceed the maximum size (976.56 GB ) of bucket
of the index...

0 Karma

isoutamo
SplunkTrust
SplunkTrust

And/or there has not been set coldPath.maxDataSizeMB something else than 0. And of course there are enough space on device.

You could check those values from cmd line:
splunk btool indexes my_index [--debug]

r. Ismo

0 Karma

mayurr98
Super Champion

hey, yes you are right

As per the doc

maxTotalDataSizeMB = <nonnegative integer>
* The maximum size of an index (in MB).
* If an index grows larger than the maximum size, the oldest data is frozen.
* This parameter only applies to hot, warm, and cold buckets.  It does not
  apply to thawed buckets.
* Highest legal value is 4294967295
* Defaults to 500000.

frozenTimePeriodInSecs = <nonnegative integer>
* Number of seconds after which indexed data rolls to frozen.
* If you do not specify a coldToFrozenScript, data is deleted when rolled to
  frozen.
* IMPORTANT: Every event in the DB must be older than frozenTimePeriodInSecs
  before it will roll. Then, the DB will be frozen the next time splunkd
  checks (based on rotatePeriodInSecs attribute).
* Highest legal value is 4294967295
* Defaults to 188697600 (6 years).

Have a look at this doc for more info.
http://docs.splunk.com/Documentation/Splunk/7.0.2/admin/Indexesconf

let me know if this helps!

0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...