Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to purge old syslog events in Splunk?

benbeard
New Member
‎08-26-2016 06:40 AM

I can't for the life of me figure out how to purge old syslog entries in Splunk.

Tech details:
My 1st time using Splunk
Using Splunk on Windows Server 2012
Listening over UDP on 514 from Meraki devices.

Is there a way I can set a max number of entries and anything over the max falls off, or at least only keep the last 7-14 days of entries?

I'm currently at about 13,000,000 entries.

0 Karma
Reply

micahkemp
Champion
‎08-26-2016 09:36 AM

Event expiration happens at the index level. You can't (using normal Splunk practices) expire from a single sourcetype/host/etc.

Take a look at indexes.conf doc:
http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Indexesconf

maxTotalDataSizeMB =
* The maximum size of an index (in MB).
* If an index grows larger than the maximum size, the oldest data is frozen.
* This parameter only applies to hot, warm, and cold buckets. It does not
apply to thawed buckets.
* Highest legal value is 4294967295
* Defaults to 500000.

frozenTimePeriodInSecs =
* Number of seconds after which indexed data rolls to frozen.
* If you do not specify a coldToFrozenScript, data is deleted when rolled to
frozen.
* IMPORTANT: Every event in the DB must be older than frozenTimePeriodInSecs
before it will roll. Then, the DB will be frozen the next time splunkd
checks (based on rotatePeriodInSecs attribute).
* Highest legal value is 4294967295
* Defaults to 188697600 (6 years).

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...