Knowledge Management

Index cleanup is not happening as expected

Abilan1
Path Finder

Hi ,

I would like to cleanup the 1 year old files, so I have updated the settings as like below in Indexes.conf file and restarted splunk, but it didn't clean up my old data. Please find my indexes.conf below

[test]
coldpath = $SPLUNKDB/test/colddb
homepath = $SPLUNKDB/test/db
thawedpath = $SPLUNKDB/test/thaweddb
maxTotalDataSizeMB = 500000
frozenTimePeriodInSecs = 31556926

Let me know if I need to add any other entries or any modification this indexes.conf file.

Tags (1)
0 Karma

gyslainlatsa
Motivator

hi Abilan1,

go in the path $ SPLUNK_HOME/etc/system/local/ OR $SPLUNK_HOME/etc/apps/your_apps/local and paste this stanza

     [test]
     coldpath = $SPLUNKDB/test/colddb
     homepath = $SPLUNKDB/test/db
     thawedpath = $SPLUNKDB/test/thaweddb
     maxTotalDataSizeMB = 1000000
     frozenTimePeriodInSecs = 31536000

next you restart splunk.
I think it should work

0 Karma

Abilan1
Path Finder

Hi ,

Do you want me to add the new entries on those files in different location? Whenever we create the new index, it updates indexes.conf file with details right? I am seeing the entries under splunk_management_console folder indexes.conf file. so I've updated frozen time details there. I am scared to add all the entries to those indexes.conf file, in case if it creates any other issues. Please advise.

Thanks!

0 Karma

gyslainlatsa
Motivator

hi,

where is located your index.conf?

in $ SPLUNK_HOME / etc / system / local /?

0 Karma

Abilan1
Path Finder

Hi ,

When I see my Index though Splunk Web, I can see it is in "splunk_management_console" not in system. (Settings > Indexes). I have checked $ SPLUNK_HOME / etc / system / local location, I don't see any entries on that indexes.conf file.
So when I checked in $ SPLUNK_HOME/splunk_management_console/system/local, I found my index related entry in indexes.conf file and I've updated frozen time here.

0 Karma

Jeremiah
Motivator

The path $ SPLUNK_HOME/splunk_management_console/system/local doesn't sound like a valid configuration path. Are you sure that's the correct path? Maybe that path is symlinked into $SPLUNK_HOME/etc/system/local or in $SPLUNK_HOME/etc/apps ?

0 Karma

Abilan1
Path Finder

Hi,

I have verified the path which you have given and I don't see any entries on that..Can you please confirm the entry(frozenTimePeriodInSecs = 31556926) which I've added into indexes.conf is enough to cleanup 1 year old data? Or any other related fields needs to be added to that?

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...