Splunk Enterprise

Delete Old Splunk data using frozentimeperiodinsecs prerequisites

splunkr00kie
Engager

I am looking to completely remove data from an Index after 30 days.  Looking into utilizing "frozentimeperiodinsecs" to set the threshold but from what I've looked into this applies to an entire bucket.  Just need some confirmation in my understanding before moving forward:

 - Does "frozentimeperiodinsecs" only apply to warm or cold buckets? If I were to set this without configuring warm or cold buckets would it not touch the hot bucket due to Splunk not allowing it to pull directly from there?

- If so am I correct to assume that I also need to set "maxHotSpanSecs" AND "maxDataSize" parameters slightly before (like a day) so "frozentimeperiodinsecs" can then pull from the warm bucket to delete?

Thank you in advance

Labels (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

IIRC, frozenTimePeriodInSec applies to both warm and cold buckets.

Yes, you should also set the maxHotSpanSecs attribute if you wish for buckets to contain only 1 day of data.

There is no "pull from the bucket to delete".  The entire bucket is deleted once the oldest event inside it exceeds the frozen time setting.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

IIRC, frozenTimePeriodInSec applies to both warm and cold buckets.

Yes, you should also set the maxHotSpanSecs attribute if you wish for buckets to contain only 1 day of data.

There is no "pull from the bucket to delete".  The entire bucket is deleted once the oldest event inside it exceeds the frozen time setting.

---
If this reply helps you, Karma would be appreciated.

splunkr00kie
Engager

So let me us an analogy to make sure I understand using Splunk's terms:

As data is coming in it's "pouring" into a hot bucket.  Once "maxHotSpanSecs" threshold is met it moves that bucket to warm and I'm assuming it creates a new hot bucket for the newer data pouring in.  Once the bucket goes to warm "frozenTimePeriodInSec" kicks in and starts to count down in seconds based off of it's set value.  When that is met the entire bucket is deleted.

That sound correct?

richgalloway
SplunkTrust
SplunkTrust

Yes

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...