How to troubleshoot why 90 data data retention con...

rblalock · ‎11-17-2014

I want to freeze all data older than 90 days.

My /opt/splunk/etc/system/local/indexes.conf file looks like this

[default]

[_audit]

[main]
rotatePeriodInSecs = 60
coldToFrozenDir = /logs/frozen
maxTotalDataSizeMB = 400000
frozenTimePeriodInSecs = 7776000

But I still have data that is up to six months old. Can someone suggest other places to look to correct this?

somesoni2 · ‎11-17-2014

See below link which explains various properties involved in setting up the retention policy and bucket life cycle.

http://wiki.splunk.com/Deploy:BucketRotationAndRetention

Basically, you need to setup maxHotSpanSecs and maxWarmDBCount to values so that your data bucket is getting rolled over to frozen. It will be deleted only after it's moved to frozen state.

martin_mueller · ‎11-17-2014

First, verify the value stuck by running splunk cmd btool indexes list main.

Then, check if the bucket containing that old data happens to also contain newer data. It'll get rolled when the youngest event is older than the frozen period.

How to troubleshoot why 90 data data retention configuration is not being applied?

Exciting News: The AppDynamics Community Joins Splunk!

The All New Performance Insights for Splunk

Good Sourcetype Naming

Are you a member of the Splunk Community?

How to troubleshoot why 90 data data retention configuration is not being applied?

Exciting News: The AppDynamics Community Joins Splunk!

The All New Performance Insights for Splunk

Good Sourcetype Naming