Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

need information about retention configuration

pacifiquen
Explorer
‎02-06-2024 02:09 AM

Hello Team,

hope you are doing well,

 

- How looks the retention configuration  for 2 years (1 year searchable and 1 year archived) in linux instance.

and how it works? (each year has its configuration, how this works).

- What are the paths and  instances where those configurations are stored/saved in linux instance. (CLI)?

- What link may I use to learn more about retention?

Thank you in advance.

Labels (2)
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-06-2024 05:17 AM

"searchable" and "archived" are Splunk Cloud terms, but this question is in the Splunk Enterprise forum.  Please confirm which is in use.

In Splunk Cloud, one sets the Searchable Days value in the UI or via ACS.  For one year of searching, set the value to 365.  Make sure the maximum size of the index is sufficient to hold the expected volume of data for that time.  Set the archive period by enabling DDAA and entering 730 as the archive time (365 days as searchable plus 365 days archived).

In Splunk Enterprise, data is searchable until it is frozen.  There is no archive status unless you implement a coldToFrozenScript or coldToFrozenDir to move the data to a separate location for safe-keeping.

These settings are in indexes.conf.

For more information, see:

https://docs.splunk.com/Documentation/SplunkCloud/9.0.2303/Admin/ManageIndexes

https://docs.splunk.com/Documentation/Splunk/9.2.0/Admin/Indexesconf

https://lantern.splunk.com/Splunk_Platform/Product_Tips/Data_Management/Setting_data_retention_rules...

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

pacifiquen
Explorer
‎02-09-2024 06:41 PM

Thank you so much @richgalloway  for your prompty response.

Yes it is a "Splunk Enterprise on premises" and the retention is for

"two years: 

- 1 year being searchable and

- Another 1 year being archived,

all makes 2 years retention.

Q1-How these configuration looks like ? 
Q2- is there any documentation talking about this specifically to "Splunk Enterprise"?

 

Thank you in advance.

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-10-2024 05:29 AM

Perhaps https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Setaretirementandarchivingpolicy will help.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-10-2024 12:37 AM

Again, as Rich said - all data is searchable as long as it is hot, warm or cold. When it's rolled into frozen, it's either deleted (by default) or moved "out of" your Splunk installation and can be treated as "archived" because it can't be used immediately, needs to be thawed in order to be searchable again. See https://docs.splunk.com/Documentation/Splunk/9.2.0/Indexer/HowSplunkstoresindexes

As soon as the bucket is frozen (assuming it's not deleted, but copied out to the frozen path or using your own script), it's not managed by Splunk anymore so it's up to you to manage that frozen data and make sure it's kept for another year and deleted after that period.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...