Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Remove data when it ages

shangshin
Builder
‎06-25-2012 01:33 PM

Hi, I saw the doc on how to remove data when it ages.
Most of my log data goes to the default index db which is "main"

So assuming I want to index data for ONLY the latest one hour, I added these 2 lines in /etc/system/default/indexes.conf 

[main]
frozenTimePeriodInSecs = 3600

On top of that I also created a new file /etc/system/local/indexes.conf with the same 2 lines.

[main]
frozenTimePeriodInSecs = 3600

Then I restarted splunk server but I still saw data older than 1 hour ago.

Can anyone shed some light on it? Thank you!!!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎06-25-2012 02:24 PM

Hi Shangshin

Keeping only one hour of data is pretty short, what is your use case ?

A short frozenTimePeriodInSecs will not be enough to ensure that the data is frozen quickly.
This is because the events are written in buckets, a bucket have a certain span of time, or a maximum size. The bucket being written are in hot state, and roll to warm (or cold) state when they became read only. But only warm or cold state buckets can actually be frozen, and only if all the events their contains are older than the frozenTimePeriodInSecs or the maximum size of the index is reached. Then the ones containing the oldest events will be frozen.

The maxHotSpanSecs parameter can be used to limit the span times for your buckets, and force them to roll from hot to warm more often. Then the frozenTimePeriodInSecs will kick in.

see http://wiki.splunk.com/Deploy:BucketRotationAndRetention
http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Indexesconf

View solution in original post

Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎06-25-2012 02:24 PM

Hi Shangshin

Keeping only one hour of data is pretty short, what is your use case ?

A short frozenTimePeriodInSecs will not be enough to ensure that the data is frozen quickly.
This is because the events are written in buckets, a bucket have a certain span of time, or a maximum size. The bucket being written are in hot state, and roll to warm (or cold) state when they became read only. But only warm or cold state buckets can actually be frozen, and only if all the events their contains are older than the frozenTimePeriodInSecs or the maximum size of the index is reached. Then the ones containing the oldest events will be frozen.

The maxHotSpanSecs parameter can be used to limit the span times for your buckets, and force them to roll from hot to warm more often. Then the frozenTimePeriodInSecs will kick in.

see http://wiki.splunk.com/Deploy:BucketRotationAndRetention
http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Indexesconf

Reply
Solved! Jump to solution

shangshin
Builder
‎06-26-2012 11:53 AM

Thanks for detail explanation. It's very helpful.

0 Karma
Reply
Get Updates on the Splunk Community!

How to send events & findings from AWS to Splunk using Amazon EventBridge

Amazon EventBridge is a serverless service that uses events to connect application components together, making ...

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...
Top