Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is Splunk keeping data beyond retention period

Marko
Explorer
‎04-23-2024 09:40 AM

I'm investigating why Splunk is keeping data beyond retention period stated in frozenTimePeriodInSecs?

How can i fix this?

 

Labels (2)
0 Karma
Reply

deepakc
Builder
‎04-23-2024 09:48 AM

Indexed data is set at the bucket (folder) level, Buckets are only frozen deleted or optionally archived when the newest event in the bucket is older than frozenTimePeriodInSecs, therefore you may have a bucket that contains both new and really old data, but the old data won't be frozen until all of the data in the bucket are old (Splunk calculates this in the background)

0 Karma
Reply

Marko
Explorer
‎04-24-2024 10:44 AM

Thanks @deepakc 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...