Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Data retention policy
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I currently deploy Splunk Enterprise and wanted to find out how to set a data retention policy for the index labelled as ‘Main’ within the index’s section in Splunk Enterprise. Since the ‘main’ index is filling up taking most of the space on the SSD, I need to set the policy for any data in the ‘main’ index to auto delete every 3 months.
I have found the Indexes.conf file but under the settings for the ‘Main’ index there isn’t a line for frozen bucket duration time? Is it a case of me just adding the line for frozen bucket duration or max space?
Thankyou!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi For setting a 3-month (90-day) retention policy, you'll need to add or modify the settings for the "main" index in indexes.conf. The primary setting you're looking for is frozenTimePeriodInSecs, which controls how long data is kept before being frozen (and typically deleted).
Update your indexes.conf file. If this is a single instance of Splunk you will want to update $SPLUNK_HOME/etc/system/local/indexes.conf (Typically /opt/splunk/etc/system/local/indexes.conf
Add or modify the [main] stanza with the appropriate retention settings:
[main]
frozenTimePeriodInSecs = 7776000 # 90 days (3 months) in secondsThis setting will cause any data older than 90 days to be frozen and, by default, deleted (unless you've configured a custom coldToFrozenScript).
You could also control retention by disk space using maxTotalDataSizeMB, which would set a maximum size for the index rather than a time-based policy.
If the "main" stanza already exists in your indexes.conf, just add the frozenTimePeriodInSecs line to it. If the stanza doesn't exist, you'll need to create it.
After making these changes, you'll need to restart Splunk for them to take effect:
Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards
Will
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi For setting a 3-month (90-day) retention policy, you'll need to add or modify the settings for the "main" index in indexes.conf. The primary setting you're looking for is frozenTimePeriodInSecs, which controls how long data is kept before being frozen (and typically deleted).
Update your indexes.conf file. If this is a single instance of Splunk you will want to update $SPLUNK_HOME/etc/system/local/indexes.conf (Typically /opt/splunk/etc/system/local/indexes.conf
Add or modify the [main] stanza with the appropriate retention settings:
[main]
frozenTimePeriodInSecs = 7776000 # 90 days (3 months) in secondsThis setting will cause any data older than 90 days to be frozen and, by default, deleted (unless you've configured a custom coldToFrozenScript).
You could also control retention by disk space using maxTotalDataSizeMB, which would set a maximum size for the index rather than a time-based policy.
If the "main" stanza already exists in your indexes.conf, just add the frozenTimePeriodInSecs line to it. If the stanza doesn't exist, you'll need to create it.
After making these changes, you'll need to restart Splunk for them to take effect:
Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards
Will
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
