Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Old log getting stored as .csv format even before retention?

anil28
New Member
‎07-20-2023 03:24 AM

Hi Team,

We have defined the index retention as 420 days but when we are trying to access the logs those are in .csv format not as event-value format.

PFA of index details and below indexes.conf confuguration if that index.

 

[rt_efb]
# 250MB a day / 35 days in warm / 460 days retention / 8 GB max index size
homePath = volume:hot/rt_efb/db
coldPath = volume:cold/rt_efb/colddb
thawedPath = $SPLUNK_DB/rt_efb/thaweddb
#set to 5 days, +- 5days padding
maxHotSpanSecs = 432000
#set to 2 hot buckets
maxHotBuckets = 2
homePath.maxDataSizeMB = 2500
coldPath.maxDataSizeMB = 5500
frozenTimePeriodInSecs = 39744000
maxTotalDataSizeMB = 26000

 

Can you please suggest us on this?

 

Regards,

Anil

 

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-21-2023 04:57 AM

Hi

What you are meaning with "those are in .csv format"?

As you are using volumes (it's best practices) there are also those volume sizing parameters which could also affect what you really have on disk.

btw. you cannot define how long events are in warm. There is no that kind of parameter. Only things what you can do is define how many buckets can be on warm state and how much space they have. Of course also max volume is one constraint for all indexes in that volume.

As there are already quite many answers about this issue, You could look those e.g. with google like "site:community.splunk.com splunk event retention parameters" or something similar.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...