Re: For data retention what takes precedence, time...

scottj1y · ‎05-02-2017

We have an index with a retention set to 6 hours or 300 GB of disk space. The index is only 46 GB right now but there are events that are days old still in it. Why haven't they been aged out?

The configuration change was pushed out by the master indexer which did a rolling restart of the peer indexers. Here's the configuration file

[main]
repFactor=auto
homePath = $SPLUNK_DB/main/db
coldPath = $SPLUNK_DB/main/colddb
thawedPath = $SPLUNK_DB/main/thawddb
# Set maximum data size of index to 300,000MB/300GB
maxTotalDataSizeMB = 300000
# Set maximun retention to 6 hrs
frozenTimePeriodInSecs = 21600


[long_lived]
repFactor=auto
homePath = $SPLUNK_DB/long_lived/db
coldPath = $SPLUNK_DB/long_lived/colddb
thawedPath = $SPLUNK_DB/long_lived/thaweddb
# Set maximum data size of index to 700,000MB/700GB
maxTotalDataSizeMB = 700000

niketn · ‎05-02-2017

Max size overrides all other retention settings.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

woodcock · ‎05-02-2017

Show your settings to get better help. Did you restart the splunk instances on your indexers after you deployed your changes?

woodcock · ‎05-02-2017

All settings for retention are applied independently; there is no precedence/cooperation.

jhupka_splunk · ‎05-02-2017

It is also important to consider that if you are often hitting the maxTotalDataSizeMB before the age specified in frozenTimePeriodInSecs, then you can potentially confusing "holes" in your data when people search. This especially becomes apparent with multiple Indexers because Indexer 1 might start running out of disk and culling buckets, but Indexer 2 is fine on space and has older data spanning the time period of the deleted buckets from Indexer 1. When you search over the time period, there might be end-user confusion if they are expecting 100% of the results for that time period but due to size half were deleted on Indexer 1.

woodcock · ‎05-03-2017

Yes, it is VERY important that each indexer gets the same amount of data for each index or holes will result.

scottj1y · ‎05-02-2017

There seems to be some disagreement. Woodcock you say there is no procedence and Niketnilay says max size overrides all other retention settings.

woodcock · ‎05-02-2017

I agree with everybody; it is just different ways of saying the same thing. There is NO setting that can cause another setting that has been triggered NOT to act.

jkat54 · ‎05-02-2017

If guns don't kill people, people kill people, does that mean toast toast toast? 😛

I feel like that's what we are saying.

jkat54 · ‎05-02-2017

I agree with woodcock. Whichever comes first takes prescedence be it time or size... Other way of saying it is that all take precedence.

For data retention what takes precedence, time or disk usage?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation