Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Trim an index down to 90 days and recover space

beaunewcomb
Communicator
‎09-26-2012 01:20 PM

So say I have an index that's got data in it back 120 Days, and I want to delete events older than 90 days, keeping the indexes trimmed to 90 days going forward. Would the below process accomplish this?

Set indexes.conf:

[indexname]
frozenTimePeriodInSecs = 7776000

restart splunk

I'm assuming that if I restart splunk, it will automatically go through and start deleting stuff older than 90 days on its own. Is this correct?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

emiller42
Motivator
‎09-28-2012 09:52 AM

One thing to keep in mind is that a bucket won't transition over to frozen until ALL events in the bucket exceed the timeframe given. On low volume indexes, it's possible for a bucket to have data from a wider date range, and thus would hang around longer than expected.

Another way to approach this is to estimate how much data you index in the time period desired, and then set the maxTotalDataSizeMB accordingly.

View solution in original post

Reply
Solved! Jump to solution
Solution

emiller42
Motivator
‎09-28-2012 09:52 AM

One thing to keep in mind is that a bucket won't transition over to frozen until ALL events in the bucket exceed the timeframe given. On low volume indexes, it's possible for a bucket to have data from a wider date range, and thus would hang around longer than expected.

Another way to approach this is to estimate how much data you index in the time period desired, and then set the maxTotalDataSizeMB accordingly.

Reply
Solved! Jump to solution

emiller42
Motivator
‎09-28-2012 11:22 AM

You can, and both will apply. So it will freeze buckets that go past the expiration time, or when the total index exceeds the size parameter. Whichever comes first.

Reply
Solved! Jump to solution

beaunewcomb
Communicator
‎09-28-2012 10:33 AM

Can you set both the max size and time?

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎09-26-2012 11:17 PM

Yes that's right. Be VERY careful with that. Getting a few numbers wrong could let you lose a LOT of data fast 😉

0 Karma
Reply
Solved! Jump to solution

chris
Motivator
‎09-26-2012 01:46 PM

Yes 🙂 At least thats the what happened on the index I just tried this.

Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...