Getting Data In

Which indexes.conf should I edit to set retirement policy?

wuming79
Path Finder

Hi,

I'm trying to delete old data due to space issue and I found this http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Setaretirementandarchivingpolicy.

But then I found that I have 4 indexes.conf on my linux. Which one should I edit?

alt text

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi wuming79,
indexes.conf is usually in apps or in $SPLUNK_HOME/etc/system/local.
From your screenshot I see that you haven't installed apps with indexes.conf, so you have to:

  • copy the file you find in $SPLUNK_HOME/etc/system/default in $SPLUNK_HOME/etc/system/local,
  • then modify it changing or adding to the stanzas of the indexes to delete old data the following row.

    frozenTimePeriodInSecs = xxx

where xxx is the retention time in seconds (e.g. one year is 31,536,000).

When you'll install or create new apps you have to do the same thing to indexes.conf file that you can find in the app (remember always to copy file from default to local folder).

Bye.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi wuming79,
indexes.conf is usually in apps or in $SPLUNK_HOME/etc/system/local.
From your screenshot I see that you haven't installed apps with indexes.conf, so you have to:

  • copy the file you find in $SPLUNK_HOME/etc/system/default in $SPLUNK_HOME/etc/system/local,
  • then modify it changing or adding to the stanzas of the indexes to delete old data the following row.

    frozenTimePeriodInSecs = xxx

where xxx is the retention time in seconds (e.g. one year is 31,536,000).

When you'll install or create new apps you have to do the same thing to indexes.conf file that you can find in the app (remember always to copy file from default to local folder).

Bye.
Giuseppe

0 Karma

wuming79
Path Finder

Hi,

May I know what kind of apps will have indexes.conf installed on local? I have installed many apps such as "Splunk for Snort", "Correlation{X}", "Splunk Security Essentials for Ransomware" but everytime when I follow the instructions from the documents, there are bound to be something missing or different...

0 Karma

andrei1bc
Communicator

An example app is https://splunkbase.splunk.com/app/2647/ . After you install this one, a new index will be created.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...