Re: Shrink or reduce indexer

nikhilmehra79 · ‎11-09-2014

HI,

I have been gathering data on an indexer for more than 2 years and though data has been useful but i think we can reduce the data to 1.5 yrs, is there is a way to shrink truncate indexers?

What are recommended ways to maintain life of data, i know ageing from hot to warl to cold buckets is something i have heard of not sure how it works (does splunk automatically take care of it or is something i need to do as admin?)

tom_frotscher · ‎11-10-2014

Hi,

there are two ways to control the size of your indexes: size and time.

When you create or configer an index, you can give the index a maximum size (maxTotalDataSizeMB). Whenever this size is reached, events are frozen. This can be done via WebUI. The second option is to configure a time period, whenever all events are older than the time period, the events are frozen (frozenTimePeriodInSecs). If you have no action defined for the transition to frozen (for example a script) the events are deleted. You can find additional infos here: link.

Greetings

Tom

kristian_kolb · ‎11-10-2014

And it might be worth to mention that since both of these settings have a default value, the discarding of data will be triggered by whichever of these limits gets hit first.

So if you want to use time as a limiting factor, ensure that you set the maxTotalDataSizeMB so high that you can be certain that frozenTimePeriodInSecs will trigger before the size constraint. And vice versa.

/k

Shrink or reduce indexer

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation