Getting Data In

How to troubleshoot why 90 data data retention configuration is not being applied?

rblalock
New Member

I want to freeze all data older than 90 days.

My /opt/splunk/etc/system/local/indexes.conf file looks like this

[default]

[_audit]

[main]
rotatePeriodInSecs = 60
coldToFrozenDir = /logs/frozen
maxTotalDataSizeMB = 400000
frozenTimePeriodInSecs = 7776000

But I still have data that is up to six months old. Can someone suggest other places to look to correct this?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

See below link which explains various properties involved in setting up the retention policy and bucket life cycle.

http://wiki.splunk.com/Deploy:BucketRotationAndRetention

Basically, you need to setup maxHotSpanSecs and maxWarmDBCount to values so that your data bucket is getting rolled over to frozen. It will be deleted only after it's moved to frozen state.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

First, verify the value stuck by running splunk cmd btool indexes list main.

Then, check if the bucket containing that old data happens to also contain newer data. It'll get rolled when the youngest event is older than the frozen period.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk Cloud Platform 9.1.2308?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2308! Analysts can ...

Index This | Why do they call it hyper text?

November 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

For the past three years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...