Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Index Data Retention
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
spl_unker
Explorer
02-17-2020
04:27 AM
Splunk Query to check what is the Data retention set for hot/warm , cold for each index
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nickhills
Ultra Champion
02-17-2020
04:42 AM
The only duration Splunk uses for data management is the frozen period - ie how long does data remain searchable in Splunk before it is archived or deleted.
The amount of "time" data stays in hot/warm is based on either size, or the number of buckets (not duration)
See the following for info on how to query for frozen durations:
https://answers.splunk.com/answers/476377/how-to-search-and-table-the-retention-time-of-each.html
The best place to check for your index settings is your index definitions.
- on a stand alone indexer, check the indexes.conf on the indexer (you may have to look in multiple apps) $SPLUNK_HOME/etc/apps/appname/[local|default]/indexes.conf
- on an indexer cluster, check the indexes.confs on the cluster master in $SPLUNK_HOME/etc/master-apps/[_cluster|yourapp]/[default|local]/indexes.conf
If my comment helps, please give it a thumbs up!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nickhills
Ultra Champion
02-17-2020
04:42 AM
The only duration Splunk uses for data management is the frozen period - ie how long does data remain searchable in Splunk before it is archived or deleted.
The amount of "time" data stays in hot/warm is based on either size, or the number of buckets (not duration)
See the following for info on how to query for frozen durations:
https://answers.splunk.com/answers/476377/how-to-search-and-table-the-retention-time-of-each.html
The best place to check for your index settings is your index definitions.
- on a stand alone indexer, check the indexes.conf on the indexer (you may have to look in multiple apps) $SPLUNK_HOME/etc/apps/appname/[local|default]/indexes.conf
- on an indexer cluster, check the indexes.confs on the cluster master in $SPLUNK_HOME/etc/master-apps/[_cluster|yourapp]/[default|local]/indexes.conf
If my comment helps, please give it a thumbs up!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nickhills
Ultra Champion
02-26-2020
02:18 PM
If my answer helped, please consider accepting and/or upvoting so that other memebers of the community can see it was useful.
If my comment helps, please give it a thumbs up!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
masonmorales
Influencer
02-26-2020
05:45 PM
Accepted it on the poster's behalf. Cheers!
Get Updates on the Splunk Community!
Developer Spotlight with William Searle
The Splunk Guy: A Developer’s Path from Web to Cloud
William is a Splunk Professional Services Consultant with ...
Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!
Attention App Developers: Test Your Apps with the Splunk 10.0 Beta and Ensure Compatibility Before the ...
Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!
What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
