Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Remove data when it ages

shangshin
Builder
‎06-25-2012 01:33 PM

Hi, I saw the doc on how to remove data when it ages.
Most of my log data goes to the default index db which is "main"

So assuming I want to index data for ONLY the latest one hour, I added these 2 lines in /etc/system/default/indexes.conf 

[main]
frozenTimePeriodInSecs = 3600

On top of that I also created a new file /etc/system/local/indexes.conf with the same 2 lines.

[main]
frozenTimePeriodInSecs = 3600

Then I restarted splunk server but I still saw data older than 1 hour ago.

Can anyone shed some light on it? Thank you!!!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎06-25-2012 02:24 PM

Hi Shangshin

Keeping only one hour of data is pretty short, what is your use case ?

A short frozenTimePeriodInSecs will not be enough to ensure that the data is frozen quickly.
This is because the events are written in buckets, a bucket have a certain span of time, or a maximum size. The bucket being written are in hot state, and roll to warm (or cold) state when they became read only. But only warm or cold state buckets can actually be frozen, and only if all the events their contains are older than the frozenTimePeriodInSecs or the maximum size of the index is reached. Then the ones containing the oldest events will be frozen.

The maxHotSpanSecs parameter can be used to limit the span times for your buckets, and force them to roll from hot to warm more often. Then the frozenTimePeriodInSecs will kick in.

see http://wiki.splunk.com/Deploy:BucketRotationAndRetention
http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Indexesconf

View solution in original post

Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎06-25-2012 02:24 PM

Hi Shangshin

Keeping only one hour of data is pretty short, what is your use case ?

A short frozenTimePeriodInSecs will not be enough to ensure that the data is frozen quickly.
This is because the events are written in buckets, a bucket have a certain span of time, or a maximum size. The bucket being written are in hot state, and roll to warm (or cold) state when they became read only. But only warm or cold state buckets can actually be frozen, and only if all the events their contains are older than the frozenTimePeriodInSecs or the maximum size of the index is reached. Then the ones containing the oldest events will be frozen.

The maxHotSpanSecs parameter can be used to limit the span times for your buckets, and force them to roll from hot to warm more often. Then the frozenTimePeriodInSecs will kick in.

see http://wiki.splunk.com/Deploy:BucketRotationAndRetention
http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Indexesconf

Reply
Solved! Jump to solution

shangshin
Builder
‎06-26-2012 11:53 AM

Thanks for detail explanation. It's very helpful.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...