Splunk Enterprise

What is Splunk buckets default retention period?

prasireddy
Explorer

Hi Team,

I wanted to know what the default retention period of buckets in Splunk i.e. (HOT, WARM, COLD, FROZEN, THAWED).
How can I know the retention period of each bucket and where can check the retention period of each bucket?
please could you help me with the location or path of each bucket's configurations in Splunk. Actually, I'm new to these bucket concepts. we have only 2 indexers ,1 license master and 1 search head.

Thanks,
Praseeda.

Labels (1)
Tags (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Data retention is set on a per-index basis rather than per-bucket.  Retention settings apply only to hot, warm, and cold buckets.  Splunk does not manage frozen or thawed buckets.

You can find the default retention settings in $SPLUNK_HOME/etc/system/default/indexes.conf, but those settings can be overridden by another indexes.conf file.  Use btool to see the current (on-disk) config:

splunk btool indexes list

There's a good .conf presentation on the topic at https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj3_s6al-SAAxVxgIQIHZB8C_4Q...

 

---
If this reply helps you, Karma would be appreciated.

prasireddy
Explorer

Hi @richgalloway

 

Hi @richgallowayrichgalloway, 

Actually, when I check in Setting-->Monitoring console--->Indexing--->Indexes and volumes---->Index Details: Instance but here in buckets I didn't see anything for the same I'm attaching screen shot. 
Please could you explain once? 

 

buckets.pngMicrosoftTeams-image (7).pngMicrosoftTeams-image (9).png

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Perhaps there is an error in the bucket searches.  You may be able to find and correct it by clicking on the "Open in search" icon (magnifying glass).

---
If this reply helps you, Karma would be appreciated.
0 Karma

isoutamo
SplunkTrust
SplunkTrust

If you have access to REST you could try to something like

| rest splunk_server=local /services/data/indexes
| join title
    [| rest splunk_server=local /services/data/indexes-extended]
| fields title *ath* *MB *ize* max*
| fields - *expand*

If/when you have distributed (clustered) environment you need to handle same records from all search peers (especially indexes-extended). You see those when change splunk_server=<your indexers>.  Just some stats etc. and you will get those values. Also you must check those fields which which I had added there that those are what you are needing.

prasireddy
Explorer

Hi @isoutamo ,
 
Thank you. I will check. 
Moreover, it not a clustered Env we have only 2 indexers,1 license master and 1 search head. 
And I have attached the file, please could explain this paths, retention policies and bucket configurations from the screen shot.

 

thanks, in advance. 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

You should read @richgalloway pointed .conf presentation. There are lot of other presentations too, which you could found from .conf site.

You should also read the base information About managing indexes from docs. Probably there are more on lantern? Also there are many answers already which you should check if above documentation isn't enough.

prasireddy
Explorer


Hi @richgalloway 
Please could explain this paths, retention policies and bucket configurations from the screen shot.

 

 

Thanks,

Praseeda

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...