Hi all!
I need help on how to check retention set into splunk using splunk search
and other way we can check it and see time settled if the data will be deleted when?3months or 6 months?
and also how can we change it?
Thank you in advance
Hi @pacifikn,
did you see the Splunk Monitoring Console [Settings -- Monitoring Console -- Indexes -- Indexes and Volumes -- Indexes and Volumes: Instance]?
If you need a search you can use and modify the search of the Indexes panel:
| rest splunk_server=DESKTOP-KBVMP9Q /services/data/indexes
| eval frozenTimePeriodDay = round(frozenTimePeriodInSecs / 86400, 0)
| eval frozenTimePeriodDay = if(isnull(frozenTimePeriodDay) OR frozenTimePeriodDay == 0, "unlimited", frozenTimePeriodDay)
| table title frozenTimePeriodDay
Ciao.
Giuseppe
Hi,
You can run below query to find retention period of indexes.
| rest splunk_server=INDEXER_HOSTNAME/IP /services/data/indexes f=title f=frozenTimePeriodInSecs
| stats values(frozenTimePeriodInSecs) as frozenTimePeriodInSecs by title
| eval "Retention (In Days)" = frozenTimePeriodInSecs/86400
To set retention for the index, you need to set frozenTimePeriodInSecs
parameter in indexes.conf
Hi @pacifikn,
did you see the Splunk Monitoring Console [Settings -- Monitoring Console -- Indexes -- Indexes and Volumes -- Indexes and Volumes: Instance]?
If you need a search you can use and modify the search of the Indexes panel:
| rest splunk_server=DESKTOP-KBVMP9Q /services/data/indexes
| eval frozenTimePeriodDay = round(frozenTimePeriodInSecs / 86400, 0)
| eval frozenTimePeriodDay = if(isnull(frozenTimePeriodDay) OR frozenTimePeriodDay == 0, "unlimited", frozenTimePeriodDay)
| table title frozenTimePeriodDay
Ciao.
Giuseppe
Dear @gcusello
I have a question, forexample if you set that the data will be deleted at 6 months, means the data will be delete the data for six months till now or it delete the data and remains the data with the current?
for example if you have started indexed the data in october.
means the retention for six months will delete all the data until next February???
which means if like we're in April ,means I can't see data for January and February?
Hi @pacifikn,
as I said, logs of each are stored in buckets, for each bucket is defined an earliest and a latest date.
for deletion is relevat the earliest data. when the earliest event exceed the retention period, the entire bucket is discarded.
so, in your example:
if you have in a bucket events from 01/10/2019 to 31/12/2019 and you have a retention of six months, this full bucket will be discarded at 01/07/2020.
If you have other events of 31/12/2019 in another bucket with earlier events, they will not be discarded at 01/07/2020, e.g. if you have events of the 31/12/2019 in another bucket (e.g. with the earliest event at 10/03/2020), they will not be discarded at 01/07/2020, but when the earliest event of their bucket will exceed the retention period (10/09/2020).
Ciao.
Giuseppe
Hi @pacifikn,,
about the data deletion, remember that deletion is managed on buckets: when the earliest event in a bucket exceed the retention period, the bucket is frozen (deleted or frozen), this means that you could also have events that exceed the retention period because in the same bucket there are events that don't exceed.
To check this, you can still use the Monitoring console or use the above search adding also the latest time event in index.
To modify retention period, you have to set the frozenTimePeriodInSecs
parameter in each index of indexes.conf
Ciao.
Giuseppe