Solved: Data retention policy

Adamzeee123 · ‎03-09-2025

Hello,

I currently deploy Splunk Enterprise and wanted to find out how to set a data retention policy for the index labelled as ‘Main’ within the index’s section in Splunk Enterprise. Since the ‘main’ index is filling up taking most of the space on the SSD, I need to set the policy for any data in the ‘main’ index to auto delete every 3 months.

I have found the Indexes.conf file but under the settings for the ‘Main’ index there isn’t a line for frozen bucket duration time? Is it a case of me just adding the line for frozen bucket duration or max space?

Thankyou!

livehybrid · ‎03-09-2025

Hi For setting a 3-month (90-day) retention policy, you'll need to add or modify the settings for the "main" index in indexes.conf. The primary setting you're looking for is frozenTimePeriodInSecs, which controls how long data is kept before being frozen (and typically deleted).

Update your indexes.conf file. If this is a single instance of Splunk you will want to update $SPLUNK_HOME/etc/system/local/indexes.conf (Typically /opt/splunk/etc/system/local/indexes.conf

Add or modify the [main] stanza with the appropriate retention settings:

[main]
frozenTimePeriodInSecs = 7776000  # 90 days (3 months) in seconds

This setting will cause any data older than 90 days to be frozen and, by default, deleted (unless you've configured a custom coldToFrozenScript).

You could also control retention by disk space using maxTotalDataSizeMB, which would set a maximum size for the index rather than a time-based policy.

If the "main" stanza already exists in your indexes.conf, just add the frozenTimePeriodInSecs line to it. If the stanza doesn't exist, you'll need to create it.

After making these changes, you'll need to restart Splunk for them to take effect:

$SPLUNK_HOME/bin/splunk restart

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

View solution in original post

livehybrid · ‎03-09-2025

Hi For setting a 3-month (90-day) retention policy, you'll need to add or modify the settings for the "main" index in indexes.conf. The primary setting you're looking for is frozenTimePeriodInSecs, which controls how long data is kept before being frozen (and typically deleted).

Update your indexes.conf file. If this is a single instance of Splunk you will want to update $SPLUNK_HOME/etc/system/local/indexes.conf (Typically /opt/splunk/etc/system/local/indexes.conf

Add or modify the [main] stanza with the appropriate retention settings:

[main]
frozenTimePeriodInSecs = 7776000  # 90 days (3 months) in seconds

This setting will cause any data older than 90 days to be frozen and, by default, deleted (unless you've configured a custom coldToFrozenScript).

You could also control retention by disk space using maxTotalDataSizeMB, which would set a maximum size for the index rather than a time-based policy.

If the "main" stanza already exists in your indexes.conf, just add the frozenTimePeriodInSecs line to it. If the stanza doesn't exist, you'll need to create it.

After making these changes, you'll need to restart Splunk for them to take effect:

$SPLUNK_HOME/bin/splunk restart

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Data retention policy

administration

configuration

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)

Are you a member of the Splunk Community?