Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

retention policy

jbates58
Observer
‎01-14-2024 04:05 PM

Hi All,

I have tried looking over the documentation for this, but I am super confused. And really struggling to wrap my head around this.

I have an environment where Splunk is ingesting syslog from 2 firewalls. The logs are only audit / management related, and these need to be sent to a sperate server for compliance (hence splunk).

I  want to configure a retention policy where this data is deleted after 1 year, as that is the specific requirement.

From what i can tell, i just need to add the "frozentimeinseconds" line to the index conf file for the "main" index (as this is where the events are going)

Current ingestion is ~150,000 events per day. And daily ingestion is ~30-35MB.However, this is subject to change in the future as more firewalls come online etc..

There is plenty of storage available. However the requirement is just 1 year of searchable data.

But I keep seeing things about hot/warm/cold/frozen etc.. and i just dont get it. All thats needed is 1 year of searchable data, anything older than (time.now() - 365 days) can be deleted.

 

Can someone please assist me with what i need to do to make this work 🙂

Labels (3)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-14-2024 11:45 PM

Hi

getting exact retention time for e.g. 1y in splunk could be almost mission impossible 😞

There is several parameters how splunk define when it removes those buckets, which has all events older than your defined retention time! You must understand than when splunk calculate retention in reality it's for all events in bucket! It's not event based, as a smallest storage unit is a bucket not an event. Practically this means that splunk can remove bucket, when all events in that bucket has older than your defined retention.

In your case, you have quite low event volume, which means that you could have one bucket, which contains events from several months max(15GB divide 30MB divided by #hot buckets for that index ). Usually you have several (default is 3) active hot buckets (per search peer) at same time, where splunk can write new events. Default for keeping a bucket as hot is 90d or when it's come full or when you restart splunk. There are also some other parameters which could affect this!

Here is some links where you could learn more how this is actually working:

r. Ismo

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-14-2024 11:28 PM

Hi @jbates58 ,

at first on the server containin the indexes, don't use the main index, but create a custom index (e.g. firewalls)

then for this new index define the retention you want (one year).

Then assign the new index name to the inputs that you should have on your Forwarders.

At least, when you'll ingest more logs, you should monitor your index to undertand if the dimension you configured is correct or if you need to enlarge it.

Ciao.

Giuseppe

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎01-14-2024 05:45 PM

Hi @jbates58 Yes, at times the retention policy may give difficult times. 

in DMC Server, Pls check this...  Settings > Monitoring Console > Indexing > Indexes and Volumes > Index Detail: Instance

Splunk-retention-policy.jpg

EDIT - Pls check the docs at https://docs.splunk.com/Documentation/Splu nk/9.1.2/Admin/Indexesconf

one thing to remember - frozenTimePeriodInSecs vs maxTotalDataSizeMB - can give confusion as well (i remember whichever comes first will work and take precedence over the other)

 

0 Karma
Reply

jbates58
Observer
‎01-14-2024 06:02 PM

Here is the contents of that page. I have redacted out a little bit of info relating to the environment.

 

jbates58_0-1705284047904.png

 

jbates58_1-1705284129840.png

 

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...