Getting Data In

How to view data retention settings in Splunk

Engager

Was wondering how I can view my data retention settings in Splunk. Installation is on a Linux platform.

Motivator
| rest /services/data/indexes | where disabled = 0 | search NOT title = "_*" | eval currentDBSizeGB = round( currentDBSizeMB / 1024) | where currentDBSizeGB > 0 | table splunk_server title summaryHomePath_expanded minTime maxTime currentDBSizeGB totalEventCount frozenTimePeriodInSecs coldToFrozenDir maxTotalDataSizeMB | rename minTime AS earliest maxTime AS latest summaryHomePath_expanded AS index_path currentDBSizeGB AS index_size totalEventCount AS event_cnt frozenTimePeriodInSecs AS index_retention coldToFrozenDir AS index_path_frozen maxTotalDataSizeMB AS index_size_max title AS index

Path Finder

You can only directly set a maximum retention period.

The way to 'set' a minimum retention period is to manually calculate how fast you are accumulating logs and then make sure you have allocated enough disk space to your indexes.

0 Karma

Ultra Champion

This is found in indexes.conf and is set on a per-index level.

The parameter is called FrozenTimePeriodInSecs and is expressed in seconds. If it does not exist, then the default value of 188697600 is used, which is approximately 6 years.

Read more in the docs,

http://docs.splunk.com/Documentation/Splunk/5.0.3/Indexer/Setaretirementandarchivingpolicy
http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Configureindexstorage

Hope this helps,

Kristian