Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Old log getting stored as .csv format even before retention?

anil28
New Member
‎07-20-2023 03:24 AM

Hi Team,

We have defined the index retention as 420 days but when we are trying to access the logs those are in .csv format not as event-value format.

PFA of index details and below indexes.conf confuguration if that index.

 

[rt_efb]
# 250MB a day / 35 days in warm / 460 days retention / 8 GB max index size
homePath = volume:hot/rt_efb/db
coldPath = volume:cold/rt_efb/colddb
thawedPath = $SPLUNK_DB/rt_efb/thaweddb
#set to 5 days, +- 5days padding
maxHotSpanSecs = 432000
#set to 2 hot buckets
maxHotBuckets = 2
homePath.maxDataSizeMB = 2500
coldPath.maxDataSizeMB = 5500
frozenTimePeriodInSecs = 39744000
maxTotalDataSizeMB = 26000

 

Can you please suggest us on this?

 

Regards,

Anil

 

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-21-2023 04:57 AM

Hi

What you are meaning with "those are in .csv format"?

As you are using volumes (it's best practices) there are also those volume sizing parameters which could also affect what you really have on disk.

btw. you cannot define how long events are in warm. There is no that kind of parameter. Only things what you can do is define how many buckets can be on warm state and how much space they have. Of course also max volume is one constraint for all indexes in that volume.

As there are already quite many answers about this issue, You could look those e.g. with google like "site:community.splunk.com splunk event retention parameters" or something similar.

r. Ismo

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...