Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to troubleshoot why 90 data data retention configuration is not being applied?

rblalock
New Member
‎11-17-2014 12:07 PM

I want to freeze all data older than 90 days.

My /opt/splunk/etc/system/local/indexes.conf file looks like this

[default]

[_audit]

[main]
rotatePeriodInSecs = 60
coldToFrozenDir = /logs/frozen
maxTotalDataSizeMB = 400000
frozenTimePeriodInSecs = 7776000

But I still have data that is up to six months old. Can someone suggest other places to look to correct this?

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎11-17-2014 03:56 PM

See below link which explains various properties involved in setting up the retention policy and bucket life cycle.

http://wiki.splunk.com/Deploy:BucketRotationAndRetention

Basically, you need to setup maxHotSpanSecs and maxWarmDBCount to values so that your data bucket is getting rolled over to frozen. It will be deleted only after it's moved to frozen state.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-17-2014 02:04 PM

First, verify the value stuck by running splunk cmd btool indexes list main.

Then, check if the bucket containing that old data happens to also contain newer data. It'll get rolled when the youngest event is older than the frozen period.

0 Karma
Reply
Get Updates on the Splunk Community!

What’s New in Splunk Cloud Platform 9.1.2308?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2308! Analysts can ...

Index This | Why do they call it hyper text?

November 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

For the past three years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...