Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Retention Issue: Why is data getting rolled to frozen before hitting the frozenTimePeriodInSecs setting?

arber
Communicator
‎11-03-2014 06:29 AM

Hello,
we are currently having some issues with an index. Basically we have configured the following in the related index:
[juniper_nsm]
coldPath = $SPLUNK_DB/juniper_nsm/colddb
coldToFrozenDir = $SPLUNK_DB/juniper_nsm/frozendb
homePath = $SPLUNK_DB/juniper_nsm/db
maxDataSize = auto_high_volume
maxTotalDataSizeMB = 600000
thawedPath = $SPLUNK_DB/juniper_nsm/thaweddb
frozenTimePeriodInSecs = 15552000

Theoretically with that frozen time period we should have the logs for at least 6 months online and once frozen moved to the frozendb as per configuration. The problem is that the logs get frozen before that period, its even less that 3 months. we can find the buckets to the frozendb. The index is not full and there is no other configuration for this index in the system.
One thing to mention is that this system generates a huge amount of logs nearly 20-25 gb per day.
What can be the issue that the logs get frozen before the frozentimeperiodsinsec ??Anything related to the maximum buckets in the db ? maybe if a certain nr of buckets is reached it has a larger priority than frozentimeperiod so the logs get frozen ?
Any idea ??

Thanks

Reply

acharlieh
Influencer
‎11-03-2014 07:31 AM

Your maxTotalDataSizeMB setting is 600000 (roughly 585 GB) . If you're logging 20 GB / day to that index, that means your buckets will roll to frozen in roughly 29 days. Buckets can be rolled to frozen if either maxTotalDataSizeMB or frozenTimePeriodInSecs is met. Check out the indexes.conf docs.

Reply

arber
Communicator
‎11-03-2014 08:22 AM

Thanks for the answer.. i will increment it . But i haven't seen this index full or nearly full .. we have an alerting policy in place that if the size is more then 90 % we get an alert. anyway i will increment this and see what happens

Thanks again

0 Karma
Reply

vaithi_m
New Member
‎02-01-2016 06:19 AM

Is it possible to leave 'maxTotalDataSizeMB' un configured or to set it unlimited, so that the 'frozenTimePeriodInSecs' alone can determine the data frozeezing behavior?

0 Karma
Reply

baldwintm
Path Finder
‎02-08-2016 06:41 AM

if you set it to the Max Value (4294967295 = 4 Petabytes), then you should never hit that.

0 Karma
Reply

vaithi_m
New Member
‎02-18-2016 04:54 AM

Hi baldwintm, Thanks for your suggestion. It really helped.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...