Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Time based retention time, without a thawed path

avoelk
Communicator
‎10-07-2024 06:57 AM

I'm trying to configure the indexes.conf in such a way that its data retention is exactly 180 days and then does NOT get frozen, but gets deleted. 

 

I've tried to set it with frozenTimePeriodInSecs = 15552000 but now I get the following error: 

 

Validation errors are present in the bundle. Errors=peer=XXX, stanza=someidx Required parameter=thawedPath not configured;

 

so I HAVE TO put a thawed path in it even tho I don't want to freeze anything? how does that make sense? 

 

Kind regards for a clarification!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-07-2024 07:59 AM

Hi @avoelk ,

you don't need to allocate any disk space: the thawed path is only a mount point that you can use to recover frozen buckets, if you don't need it, you must only define the mount point (the thawed_path) in indexes.conf and then you don't need to allocate any disk space.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-07-2024 07:10 AM

Hi @avoelk,

yes, it's a required parameter even if you don't want to restore thawed buckets.

Remember in Splunk the retention period is managed at bucket level, in other words, a bucket is deleted (or frozen) only when the latest event is older than the retention period, this means that you'll surely have in your buckets events older than the retention period, because they are in a bucket with younger events.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

avoelk
Communicator
‎10-07-2024 07:42 AM

Hi Giuseppe and thanks for the swift answer!

But how does it behave if I don't want to allocate a specific diskspace for thawed files/frozen files? 

So there is no way to just have a retention of 180 days and afterwards it will be deleted or did I get something of your answer wrong? 

 

Kind regards

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-07-2024 08:05 AM

Thawed path is the directory in which you'd have to manually put the data to be thawed (or where Splunk puts it after thawing; I don't remember I don't generally thaw buckets). It doesn't have anything to do with the freezing process. If you don't define frozen path (and freeze script) the data will get deleted when rolled to frozen.

And be aware of what @gcusello said - data is rolled on a per bucket basis which means that "resolution" of the bucket rolling process depends on the contents of the buckets - data is being rolled to frozen when _newest_ event in a bucket is older than the retention period. That can be important especially in case of quarantine buckets.

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-07-2024 07:59 AM

Hi @avoelk ,

you don't need to allocate any disk space: the thawed path is only a mount point that you can use to recover frozen buckets, if you don't need it, you must only define the mount point (the thawed_path) in indexes.conf and then you don't need to allocate any disk space.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

avoelk
Communicator
‎10-07-2024 08:06 AM

Thanks a lot !

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...