Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Attempting to retire (delete) old data

RNB
Path Finder
‎06-28-2011 06:36 AM

I would like to trim back on the amount of disk space being used. We have decided that we would like to keep about 18 months worth of data. We do not have to retain our data for any legislated period of time. Last week I added frozenTimePeriodInSecs = 46656000 to /opt/splunk/etc/system/local/indexes.conf.

I had assumed from the documentation that rotatePeriodInSecs = 60 in /opt/splunk/etc/system/default/indexes.conf would cause the move to frozen (delete) would start almost immediately after a restart. However, despite a restart, I still have data prior to 18 months ago.

What am I missing?

Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎06-28-2011 07:17 AM

Splunk will not freeze a bucket until the newest event in the bucket is older than frozenTimePeriodInSecs. Your buckets containing 18+ month old data could have just one event newer than that and it would be enough to keep the whole bucket alive. You could use the dbinspect search command to produce a report on the status of your various buckets. http://www.splunk.com/base/Documentation/latest/SearchReference/Dbinspect

You'd be looking for buckets where the latestTime is more than 46656000 seconds ago - those are the ones that should have rolled off by now.

View solution in original post

Reply
Solved! Jump to solution

e2zippo
New Member
‎02-04-2013 05:49 AM

I'm having some trouble getting this to work as well,( I only want to save 6 months back)
I've created a indexes.conf and put it in

/splunk/etc/system/local/indexes.conf

And the only line in that file is

frozenTimePeriodInSecs = 15768000.

I've restarted splunk several times, but nothing happens.

What would be the easiest way to remove data older than six months and keep it that way based on what I've done?

Keep in mind I've barely touched Splunk, I just installed it.

Cheers!

0 Karma
Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎06-28-2011 07:17 AM

Splunk will not freeze a bucket until the newest event in the bucket is older than frozenTimePeriodInSecs. Your buckets containing 18+ month old data could have just one event newer than that and it would be enough to keep the whole bucket alive. You could use the dbinspect search command to produce a report on the status of your various buckets. http://www.splunk.com/base/Documentation/latest/SearchReference/Dbinspect

You'd be looking for buckets where the latestTime is more than 46656000 seconds ago - those are the ones that should have rolled off by now.

Reply
Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...