Go into the settings menu on the indexer, and look for indexes. On the indexes page, you can see the size of the various indexes. Reduce the size of one or more indexes. Splunk will immediately begin to remove/freeze the oldest data until all indexes are under the maximum size.
You can also set a time limit for the data as well, but that setting is not available from the GUI.
Thank You so much!
1. In case If I want to clean up all the 1 year old Data from my "TEST" index, how can I do that?
2. Also please confirm me we need to modify which size (Max size (MB) of entire index or Max size (MB) of hot/warm/cold bucket)? Also If we modified this size, will it automatically purge the old data in future whenever this index touches it's maximum size. do we need to restart after this modification?
Have a look at this https://wiki.splunk.com/Deploy:BucketRotationAndRetention
The data retention is done either based on total max size of index (hot + warm + col) using maxTotalDataSizeMB OR based on bucket age (buckets older than specified period will be frozen(deleted by default)) using frozenTimePeriodInSecs attribute, for the index in indexes.conf.
The purging will done automatically by Splunk at regular interval and a restart will be required for this change to take place (if done via conf files directly).
I have updated the settings as like below and restarted splunk, but it didn't clean up my old data from the indexer. Please find my indexes.conf below
coldpath = $SPLUNKDB/test/colddb
homepath = $SPLUNKDB/test/db
thawedpath = $SPLUNKDB/test/thaweddb
maxTotalDataSizeMB = 500000
frozenTimePeriodInSecs = 31556926
Please let me know if you still want to make any changes in the index details.
Here are the ways that you can delete data from your index: Remove indexes and indexed data
delete command will remove data from an index, but does not recover the disk space.
splunk clean to clean an index will remove all data and recover the disk space; there is no way to do this by date.
You can set retention time for an index in
indexes.conf by using the
[yourindex] #other index settings frozenTimePeriodInSecs = 31556926
31556926 is the number of seconds in a year. You will need to restart Splunk for this setting to take effect. Splunk will immediately began to remove data older than one year from the index.