Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Strict Time Retention Policy

hiph151
Explorer
‎05-03-2019 05:45 AM

Hi,

we want to implement a strict 120 day time retention policy for some indexes.
So this config should be fine. For my understanding it´s mandatory to set als MaxHotspanSecs for 24h (of course the frozen path)

MaxHotSpanSecs=86400 (1day)
FrozenTimePeriodinSec= 10368000 (120 days)

Thank you

0 Karma
Reply

hiph151
Explorer
‎05-03-2019 07:46 AM

Thx for your answers! I participated on the Splunk Admin course and in the learning PDF there is a simple example:
HR data has to be frozen after 90 days, but not sooner. Also there is a hint: If a bucket spans more than one day, you cant meet the 90 day requirement.

I have a real project now, and our requerements are 120 days so im thinking about these maxHotSpanSecs to reach our 120 days. but if you say, the "frozenTimePeriodinSecs" is enough then im also statisfied 🙂

thx

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-03-2019 10:11 AM

Setting `MaxHotSpanSecs' to a day or less is a good idea in this case. It helps to ensure each bucket only contains a single day of data so you can better enforce your retention policy.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

koshyk
Super Champion
‎05-03-2019 06:12 AM

MaxHotSpanSecs is NOT mandatory as it will go to the default value if not set. Defaults to 7776000 seconds (90 days)

All the setting you need is (example)

[_introspection]
homePath   = volume:home/_introspection/db
coldPath = volume:cold/_introspection/colddb
thawedPath = volume:cold/_introspection/thaweddb
tstatsHomePath = volume:tstats/_introspection/datamodel_summary
# Let volumes handle size, set high limit per index (set to100GB*120 days). Just to be safe
maxTotalDataSizeMB = 12288000
# 120 days total retention
frozenTimePeriodInSecs = 10368000
repFactor = auto

Another good thing is to test your indexes.conf in a Development system by putting frozentime to 2 days etc. Just to see if all works well. Also good practice to set "indexer volume" accordingly.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-03-2019 06:04 AM

That setting for FrozenTimePeriodinSec should do the job. It may not be as strict as you expect, however. The setting is not enforced until the newest event in a bucket is past the time specified so there could be events much older than 120 days by the time the bucket is deleted. It depends on how many events fit into the bucket and how active the index is.

Why do you think MaxHotSpanSecs must be set to one day? The default is 90 days so, obviously, it can have other values.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...