Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Index log need to maintain only one year

balamuruganm7
New Member
‎09-09-2019 02:42 AM

Hi Team,

I am seeking help on indexer log retention period set.

I am using splunk enterprise version 6.4.2, deployed some 4 years ago so . indexer log contain more than one year and log to be restricted only one year.

Kindly help on setting indexer log to maintain one year only

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

masonmorales
Influencer
‎09-09-2019 03:21 PM

Assuming that you have removed frozenTimePeriodInSecs at the index-level config of all indexes in your indexes.conf file(s) (use splunk cmd btool indexes list --debug to check), you can do:
indexes.conf

[default]
frozenTimePeriodInSecs = 31536000

View solution in original post

0 Karma
Reply
Solved! Jump to solution

balamuruganm7
New Member
‎09-12-2019 11:41 PM

where should I add the default stanza?,where I should add the default stanza?

0 Karma
Reply
Solved! Jump to solution
Solution

masonmorales
Influencer
‎09-09-2019 03:21 PM

Assuming that you have removed frozenTimePeriodInSecs at the index-level config of all indexes in your indexes.conf file(s) (use splunk cmd btool indexes list --debug to check), you can do:
indexes.conf

[default]
frozenTimePeriodInSecs = 31536000
0 Karma
Reply
Solved! Jump to solution

balamuruganm7
New Member
‎09-09-2019 11:38 PM

Hi Masonmorales,

I could see indexes.conf file under $SPLUNK_HOME/etc/system/local/, but I don't see any parameter frozenTimePeriodInSecs

indexes.conf files contain following
.
[splunklogger]
bucketRebuildMemoryHint = 0
compressRawdata = 1
enableDataIntegrityControl = 1
enableOnlineBucketRepair =1
enableTsidxReduction = 0
syncMeta =1

[ _internal]
bucketRebuildMemoryHint = 0
compressRawdata = 1
enableDataIntegrityControl = 0
enableOnlineBucketRepair =1
enableTsidxReduction = 0
syncMeta =1

[ _interospection]

bucketRebuildMemoryHint = 0
compressRawdata = 1
enableDataIntegrityControl = 0
enableOnlineBucketRepair =1
enableTsidxReduction = 0
syncMeta =1

[ -audit]

bucketRebuildMemoryHint = 0
compressRawdata = 1
enableDataIntegrityControl = 0
enableOnlineBucketRepair =1
enableTsidxReduction = 0
syncMeta =1

0 Karma
Reply
Solved! Jump to solution

masonmorales
Influencer
‎09-12-2019 09:59 PM

OK so just add it to the default stanza.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-09-2019 06:32 AM

Use this to find the current retention applied on the indexes you have:
https://answers.splunk.com/answers/553180/how-to-find-the-retention-period-of-an-index.html

Then follow this to understand and implement appropriate retention period.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...