Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Setting searchable retention while creating Index from GUI

man03359
Communicator
‎02-28-2024 07:15 PM

Hi,

I am starting with splunk admin and is confused about one topic. It might be silly.

While creating an index, we get the option to set the Searchable Retention (in days), I have read from the documents that splunk has 4 bucket, hot, warm, cold, and frozen.

My question is suppose I have set it as 90 days, while this 90 days period will the data be in hot bucket for the entire 90 days and will roll to frozen after 90 days period is over. Also how different is setting 90 days under the Searchable Retention and setting this below-

[main]
frozenTimePeriodInSecs = 7,776,000

 Please explain.

Thanks in advance.

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-28-2024 09:48 PM

Hi @man03359 ,

at first, in frozenTimePeriodInSecs, don't use commas.

then, the meaning of the four statuses is the following:

Hot: just indexed data, in a bucket with in progress tsdindexes creation and usable for on-line searches,

Warm: data indexed from few days, that are used by the most searches and usable for on-line searches, they usually are located in high performances storage (at least 800 IOPS, better more),

Cold: not so recent data, used by few searches and usable for on-line searches, they usually are located in less expensive storages,

Frozen: data that are stored off line but that it's possible to recoved copying the entire bucket in the thawed folder, to have frozen data, you must configure Splunk to save them, by default dey are deleted.

Data roll to frozed after the earliest event of a bucket exceeds the retention period, for this reason you could have , in your searches, data before the retention period.

if you use a short retention period and you index few data, your bucket could directly pass from Warm to frozen or be deleted.

It's very difficoult that a data directly pass from Hot to Frozed because a bucket rolls from Hot to Warm when it reaches 10 GB or after three days, you should have a retention period less than three days and have less than 10 GB in this period.

For more details see at https://docs.splunk.com/Documentation/Splunk/9.2.0/Indexer/Setaretirementandarchivingpolicy and https://docs.splunk.com/Documentation/Splunk/9.2.0/Indexer/Howindexingworks

Ciao.

Giuseppe

0 Karma
Reply

man03359
Communicator
‎02-28-2024 10:25 PM

@gcusello 

So it means if we set the search retention period as 90 days under here-

man03359_0-1709186688393.png

It is stays at hot, warm, and cold during those 90 days and post 90 days rolls to frozen bucket?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-29-2024 12:13 AM

Hi @man03359,

this seems to be Splunk Cloud, in this case you don't need to manage the buckets.

Buckets managing and configuration is required only do on-premise installation.

For Splunk Cloud, you have only to define how long you want to store data, also because, by default, you have 90 day and if you want a longer period, you have to pay for the additional storage.

Ciao.

Giuseppe

 

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...