Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issue with notable index retention kept for 180 days but saving logs for 90 days

Mohammed123
Loves-to-Learn Everything
3 weeks ago

Dear,

The issue with the notable index, we have configured the notable index with 18 mnths retention period and also maxtotaldatasizemb to 20gb, its only used 10 % of 20gb, so as this configuration it need to have data for last 18 months but i can see last 90 days for notable index, when we checked last week its getting from 2nd july when i checked this week its getting from july 12th, so its storing only 90 days,

can you have any solution for this we are only using hot warm cold not frozen we configured the live data for 18 mnths then it will be deleted, but for notable index its only have for 90 days data nit 180 days , 

Labels (1)
Labels
0 Karma
Reply

PrewinThomas
Motivator
3 weeks ago

@Mohammed123 

It might be misconfigured index settings. Also might be because of bucket aging and cold storage limit/availability.
Share your index settings along with storage details.

splunk cmd btool indexes list notable --debug

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
3 weeks ago

The settings for "live" data are independent of those for the notable index.  Please share the indexex.conf settings for the [notable] stanza.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
3 weeks ago
Also share your volume definitions if you are using volumes.
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...