Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Trim an index down to 90 days and recover space

beaunewcomb
Communicator
‎09-26-2012 01:20 PM

So say I have an index that's got data in it back 120 Days, and I want to delete events older than 90 days, keeping the indexes trimmed to 90 days going forward. Would the below process accomplish this?

Set indexes.conf:

[indexname]
frozenTimePeriodInSecs = 7776000

restart splunk

I'm assuming that if I restart splunk, it will automatically go through and start deleting stuff older than 90 days on its own. Is this correct?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

emiller42
Motivator
‎09-28-2012 09:52 AM

One thing to keep in mind is that a bucket won't transition over to frozen until ALL events in the bucket exceed the timeframe given. On low volume indexes, it's possible for a bucket to have data from a wider date range, and thus would hang around longer than expected.

Another way to approach this is to estimate how much data you index in the time period desired, and then set the maxTotalDataSizeMB accordingly.

View solution in original post

Reply
Solved! Jump to solution
Solution

emiller42
Motivator
‎09-28-2012 09:52 AM

One thing to keep in mind is that a bucket won't transition over to frozen until ALL events in the bucket exceed the timeframe given. On low volume indexes, it's possible for a bucket to have data from a wider date range, and thus would hang around longer than expected.

Another way to approach this is to estimate how much data you index in the time period desired, and then set the maxTotalDataSizeMB accordingly.

Reply
Solved! Jump to solution

emiller42
Motivator
‎09-28-2012 11:22 AM

You can, and both will apply. So it will freeze buckets that go past the expiration time, or when the total index exceeds the size parameter. Whichever comes first.

Reply
Solved! Jump to solution

beaunewcomb
Communicator
‎09-28-2012 10:33 AM

Can you set both the max size and time?

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎09-26-2012 11:17 PM

Yes that's right. Be VERY careful with that. Getting a few numbers wrong could let you lose a LOT of data fast 😉

0 Karma
Reply
Solved! Jump to solution

chris
Motivator
‎09-26-2012 01:46 PM

Yes 🙂 At least thats the what happened on the index I just tried this.

Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...