Hi ,
I would like to cleanup the 1 year old files, so I have updated the settings as like below in Indexes.conf file and restarted splunk, but it didn't clean up my old data. Please find my indexes.conf below
[test]
coldpath = $SPLUNKDB/test/colddb
homepath = $SPLUNKDB/test/db
thawedpath = $SPLUNKDB/test/thaweddb
maxTotalDataSizeMB = 500000
frozenTimePeriodInSecs = 31556926
Let me know if I need to add any other entries or any modification this indexes.conf file.
hi Abilan1,
go in the path $ SPLUNK_HOME/etc/system/local/
OR $SPLUNK_HOME/etc/apps/your_apps/local
and paste this stanza
[test]
coldpath = $SPLUNKDB/test/colddb
homepath = $SPLUNKDB/test/db
thawedpath = $SPLUNKDB/test/thaweddb
maxTotalDataSizeMB = 1000000
frozenTimePeriodInSecs = 31536000
next you restart splunk.
I think it should work
Hi ,
Do you want me to add the new entries on those files in different location? Whenever we create the new index, it updates indexes.conf file with details right? I am seeing the entries under splunk_management_console folder indexes.conf file. so I've updated frozen time details there. I am scared to add all the entries to those indexes.conf file, in case if it creates any other issues. Please advise.
Thanks!
hi,
where is located your index.conf?
in $ SPLUNK_HOME / etc / system / local /
?
Hi ,
When I see my Index though Splunk Web, I can see it is in "splunk_management_console" not in system. (Settings > Indexes). I have checked $ SPLUNK_HOME / etc / system / local location, I don't see any entries on that indexes.conf file.
So when I checked in $ SPLUNK_HOME/splunk_management_console/system/local, I found my index related entry in indexes.conf file and I've updated frozen time here.
The path $ SPLUNK_HOME/splunk_management_console/system/local doesn't sound like a valid configuration path. Are you sure that's the correct path? Maybe that path is symlinked into $SPLUNK_HOME/etc/system/local or in $SPLUNK_HOME/etc/apps ?
Hi,
I have verified the path which you have given and I don't see any entries on that..Can you please confirm the entry(frozenTimePeriodInSecs = 31556926) which I've added into indexes.conf is enough to cleanup 1 year old data? Or any other related fields needs to be added to that?