Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Old log getting stored as .csv format even before retention?

anil28
New Member
‎07-20-2023 03:24 AM

Hi Team,

We have defined the index retention as 420 days but when we are trying to access the logs those are in .csv format not as event-value format.

PFA of index details and below indexes.conf confuguration if that index.

 

[rt_efb]
# 250MB a day / 35 days in warm / 460 days retention / 8 GB max index size
homePath = volume:hot/rt_efb/db
coldPath = volume:cold/rt_efb/colddb
thawedPath = $SPLUNK_DB/rt_efb/thaweddb
#set to 5 days, +- 5days padding
maxHotSpanSecs = 432000
#set to 2 hot buckets
maxHotBuckets = 2
homePath.maxDataSizeMB = 2500
coldPath.maxDataSizeMB = 5500
frozenTimePeriodInSecs = 39744000
maxTotalDataSizeMB = 26000

 

Can you please suggest us on this?

 

Regards,

Anil

 

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-21-2023 04:57 AM

Hi

What you are meaning with "those are in .csv format"?

As you are using volumes (it's best practices) there are also those volume sizing parameters which could also affect what you really have on disk.

btw. you cannot define how long events are in warm. There is no that kind of parameter. Only things what you can do is define how many buckets can be on warm state and how much space they have. Of course also max volume is one constraint for all indexes in that volume.

As there are already quite many answers about this issue, You could look those e.g. with google like "site:community.splunk.com splunk event retention parameters" or something similar.

r. Ismo

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...

Developer Spotlight with Mika Borner

From Hackathon Winner to Enterprise Leader    Mika Borner, CEO and Founder of Datapunctum AG, has been ...