Knowledge Management

Index cleanup is not happening as expected

Abilan1
Path Finder

Hi ,

I would like to cleanup the 1 year old files, so I have updated the settings as like below in Indexes.conf file and restarted splunk, but it didn't clean up my old data. Please find my indexes.conf below

[test]
coldpath = $SPLUNKDB/test/colddb
homepath = $SPLUNKDB/test/db
thawedpath = $SPLUNKDB/test/thaweddb
maxTotalDataSizeMB = 500000
frozenTimePeriodInSecs = 31556926

Let me know if I need to add any other entries or any modification this indexes.conf file.

Tags (1)
0 Karma

gyslainlatsa
Motivator

hi Abilan1,

go in the path $ SPLUNK_HOME/etc/system/local/ OR $SPLUNK_HOME/etc/apps/your_apps/local and paste this stanza

     [test]
     coldpath = $SPLUNKDB/test/colddb
     homepath = $SPLUNKDB/test/db
     thawedpath = $SPLUNKDB/test/thaweddb
     maxTotalDataSizeMB = 1000000
     frozenTimePeriodInSecs = 31536000

next you restart splunk.
I think it should work

0 Karma

Abilan1
Path Finder

Hi ,

Do you want me to add the new entries on those files in different location? Whenever we create the new index, it updates indexes.conf file with details right? I am seeing the entries under splunk_management_console folder indexes.conf file. so I've updated frozen time details there. I am scared to add all the entries to those indexes.conf file, in case if it creates any other issues. Please advise.

Thanks!

0 Karma

gyslainlatsa
Motivator

hi,

where is located your index.conf?

in $ SPLUNK_HOME / etc / system / local /?

0 Karma

Abilan1
Path Finder

Hi ,

When I see my Index though Splunk Web, I can see it is in "splunk_management_console" not in system. (Settings > Indexes). I have checked $ SPLUNK_HOME / etc / system / local location, I don't see any entries on that indexes.conf file.
So when I checked in $ SPLUNK_HOME/splunk_management_console/system/local, I found my index related entry in indexes.conf file and I've updated frozen time here.

0 Karma

Jeremiah
Motivator

The path $ SPLUNK_HOME/splunk_management_console/system/local doesn't sound like a valid configuration path. Are you sure that's the correct path? Maybe that path is symlinked into $SPLUNK_HOME/etc/system/local or in $SPLUNK_HOME/etc/apps ?

0 Karma

Abilan1
Path Finder

Hi,

I have verified the path which you have given and I don't see any entries on that..Can you please confirm the entry(frozenTimePeriodInSecs = 31556926) which I've added into indexes.conf is enough to cleanup 1 year old data? Or any other related fields needs to be added to that?

0 Karma
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...