Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Retention policy for index not working as intended

annebeate
Path Finder
‎02-04-2014 12:39 AM

Hi,

I have a index which should only have data for the past 3 hours. I've set the frozenTimePeriodInSecs to 10800. I activated the configuration on the 2nd of February, but data are still present from that date. I think I need to reduce the size of the buckets. Could you please recommend which parameters I should set to accomplish a retention policy of 3 hours? The size of the index is 28 MB as of now.

[s02683_minesider_prod_audit]
coldPath = $SPLUNK_DB/s02683_minesider_prod_audit/colddb
homePath = $SPLUNK_DB/s02683_minesider_prod_audit/db
thawedPath = $SPLUNK_DB/s02683_minesider_prod_audit/thaweddb
frozenTimePeriodInSecs = 10800

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎02-04-2014 01:23 AM

Hi,

You know that splunk will only freeze (i.e. delete) a bucket when the newest event in that bucket is older than your retention limit. Unless you have very high volume of traffic, you need to set your bucket size rather small.

For example, if your index receives 60 MB of logs per hour, you could set your bucket size to 10 MB. With average compression rates (~50%) you should have about 20 minutes worth of log data per bucket (as long as you only have one hot bucket at a time). Given that you only freeze when the newest event is too old, the oldest events in your index should be 3h20m at any given time.

However, working with so small indexes and buckets is not what Splunk was engineered for, and I don't know how often freeze checks are actually made. Also, I think that from a performance perspective, larger buckets (>750 MB) are more efficient, but then again, your data set seems rather small, so that perhaps has less impact in your case.

/K

Reply

kristian_kolb
Ultra Champion
‎02-05-2014 04:18 AM

I was more thinking about maxDataSize.
maxHotSpanSecs might work too, but I think I would prefer the combination of frozenTimePeriodInSecs and maxDataSize. I have not played around with this extensively, so do not take my advice as Divine Truth.

Oh, and the freeze checks are controlled through the rotatePeriodInSecs parameter.

/K

0 Karma
Reply

annebeate
Path Finder
‎02-04-2014 11:51 PM

Thanks for your reply 🙂 Which parameter do you recommend that I use: maxHotSpanSecs or homePath.maxDataSizeMB?

homePath.maxDataSizeMB =
* Limits the size of the hot/warm DB to the maximum specified size, in MB.

maxHotSpanSecs =
* Upper bound of timespan of hot/warm buckets in seconds.
* Defaults to 7776000 seconds (90 days).

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...