Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Creating an index: New Index Max Size vs Retention

aohls
Contributor
‎08-14-2019 06:08 AM

I am looking to setup a new summary index. When creating the index how does Max Size of Entire Index and Retention interact with one another. Would data get removed once one of these settings are hit? For example if I have 5GB and set the retention to 30 days, if I exceed 5GB at 20 days will it truncate the oldest days at that time; and the same if I set the retention to 30 days but only have 2GB out of 5 used, will it start truncating the old data?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Mayurmpatil
Path Finder
‎08-14-2019 06:32 AM

If maxTotalDataSizeMB(index size) is reached before frozenTimePeriodInSecs(retention period), data will be rolled to frozen before the configured time period has elapsed. If archiving has not been configured, unintended data loss can occur.

also if frozenTimePeriodInSecs(retention period) is reached before the index size of 5 gb is not reached , data will be rolled to frozen.

so in theory whatever reaches first will be applicable.

View solution in original post

Reply
Solved! Jump to solution
Solution

Mayurmpatil
Path Finder
‎08-14-2019 06:32 AM

If maxTotalDataSizeMB(index size) is reached before frozenTimePeriodInSecs(retention period), data will be rolled to frozen before the configured time period has elapsed. If archiving has not been configured, unintended data loss can occur.

also if frozenTimePeriodInSecs(retention period) is reached before the index size of 5 gb is not reached , data will be rolled to frozen.

so in theory whatever reaches first will be applicable.

Reply
Solved! Jump to solution

aohls
Contributor
‎08-14-2019 06:51 AM

@Mayurmpatil Thank you. We are just starting to use the summary index so this is helpful.

Reply
Solved! Jump to solution

Mayurmpatil
Path Finder
‎08-18-2019 09:06 PM

@aohls - can you up vote my answer if you have happy with it.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...