Getting Data In

How to troubleshoot why 90 data data retention configuration is not being applied?

rblalock
New Member

I want to freeze all data older than 90 days.

My /opt/splunk/etc/system/local/indexes.conf file looks like this

[default]

[_audit]

[main]
rotatePeriodInSecs = 60
coldToFrozenDir = /logs/frozen
maxTotalDataSizeMB = 400000
frozenTimePeriodInSecs = 7776000

But I still have data that is up to six months old. Can someone suggest other places to look to correct this?

0 Karma

somesoni2
Revered Legend

See below link which explains various properties involved in setting up the retention policy and bucket life cycle.

http://wiki.splunk.com/Deploy:BucketRotationAndRetention

Basically, you need to setup maxHotSpanSecs and maxWarmDBCount to values so that your data bucket is getting rolled over to frozen. It will be deleted only after it's moved to frozen state.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

First, verify the value stuck by running splunk cmd btool indexes list main.

Then, check if the bucket containing that old data happens to also contain newer data. It'll get rolled when the youngest event is older than the frozen period.

0 Karma
Get Updates on the Splunk Community!

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...