Getting Data In
Highlighted

Is there a way to delete data on an indexer from Splunk Web to free up disk space?

Path Finder

Hi ,

We are about to reach the maximum size of the disk on our Indexer server. Please suggest if there is any way to purge data that is 90 days old from Splunk Web, or is there any setting to overwrite the old files from Splunk Web?

0 Karma
Highlighted

Re: Is there a way to delete data on an indexer from Splunk Web to free up disk space?

Legend

Go into the settings menu on the indexer, and look for indexes. On the indexes page, you can see the size of the various indexes. Reduce the size of one or more indexes. Splunk will immediately begin to remove/freeze the oldest data until all indexes are under the maximum size.

You can also set a time limit for the data as well, but that setting is not available from the GUI.

Highlighted

Re: Is there a way to delete data on an indexer from Splunk Web to free up disk space?

Path Finder

Thank You so much!
1. In case If I want to clean up all the 1 year old Data from my "TEST" index, how can I do that?
2. Also please confirm me we need to modify which size (Max size (MB) of entire index or Max size (MB) of hot/warm/cold bucket)? Also If we modified this size, will it automatically purge the old data in future whenever this index touches it's maximum size. do we need to restart after this modification?

0 Karma
Highlighted

Re: Is there a way to delete data on an indexer from Splunk Web to free up disk space?

Path Finder

Hi ,

Can someone please help me here?

0 Karma
Highlighted

Re: Is there a way to delete data on an indexer from Splunk Web to free up disk space?

SplunkTrust
SplunkTrust

Have a look at this https://wiki.splunk.com/Deploy:BucketRotationAndRetention

The data retention is done either based on total max size of index (hot + warm + col) using maxTotalDataSizeMB OR based on bucket age (buckets older than specified period will be frozen(deleted by default)) using frozenTimePeriodInSecs attribute, for the index in indexes.conf.

The purging will done automatically by Splunk at regular interval and a restart will be required for this change to take place (if done via conf files directly).

0 Karma
Highlighted

Re: Is there a way to delete data on an indexer from Splunk Web to free up disk space?

Path Finder

Thank you!

0 Karma
Highlighted

Re: Is there a way to delete data on an indexer from Splunk Web to free up disk space?

Path Finder

Hi ,

I have updated the settings as like below and restarted splunk, but it didn't clean up my old data from the indexer. Please find my indexes.conf below

[test]
coldpath = $SPLUNKDB/test/colddb
homepath = $SPLUNKDB/test/db
thawedpath = $SPLUNKDB/test/thaweddb
maxTotalDataSizeMB = 500000
frozenTimePeriodInSecs = 31556926

Please let me know if you still want to make any changes in the index details.

0 Karma
Highlighted

Re: Is there a way to delete data on an indexer from Splunk Web to free up disk space?

Legend

Here are the ways that you can delete data from your index: Remove indexes and indexed data

The delete command will remove data from an index, but does not recover the disk space.
Using splunk clean to clean an index will remove all data and recover the disk space; there is no way to do this by date.

You can set retention time for an index in indexes.conf by using the frozenTimePeriodInSecs setting

[yourindex]
#other index settings
frozenTimePeriodInSecs = 31556926

31556926 is the number of seconds in a year. You will need to restart Splunk for this setting to take effect. Splunk will immediately began to remove data older than one year from the index.

View solution in original post

Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.