Re: how to set the retention policy of index

jichen · ‎07-16-2012

Hi,I'm also confusing about the retention policy. I want to keep some indexes for 90 days. Now I'm doing some test,when I set maxHotIdleSecs no more than 180,it works fine, it'll archive the index about per 5 minutes. But when I set to 200, 300,600 .... ,it doesn't archive the data according the time I set or doesn't delete the retired data at all.

[os]
coldPath = $SPLUNK_DB\os\colddb
homePath = $SPLUNK_DB\os\db
thawedPath = $SPLUNK_DB\os\thaweddb
coldToFrozenDir = d:\frozen
frozenTimePeriodInSecs = 10
rotatePeriodInSecs = 10
maxHotIdleSecs = 180

yannK · ‎07-16-2012

the time retention is controled by frozenTimePeriodInSecs, so for 90 days = 60*60*24*90= 7 776 000 seconds

frozenTimePeriodInSecs=7776000

Please read this http://wiki.splunk.com/Deploy:BucketRotationAndRetention before tuning rotatePeriodInSecs and maxHotIdleSecs they control the hot to warm rotation.
Eventually you could use maxHotIdleSecs=86400 to reduce the span of your hot buckets to 1 day per bucket.

yannK · ‎07-17-2012

oh, sorry, I meant maxHotSpanSecs not maxHotIdleSecs

I usually use maxHotIdleSecs as my time span for my hot buckets, to force them to roll more often.

jichen · ‎07-17-2012

Per this document http://wiki.splunk.com/Deploy:BucketRotationAndRetention, I add a line "maxHotSpanSecs = 200",the data should be retired after 200+10 Secs, but actually it archived the data at below time point: 11:06,12:03,13:03,13:12,14:04,15:03,15:07. So I don't know when it will do the archive job and how to control the retention of the data.

jichen · ‎07-17-2012

Hi, as I mentioned, when I test with below setting
frozenTimePeriodInSecs = 10
rotatePeriodInSecs = 10
maxHotIdleSecs = 200
, it maybe not delete and archive the data at all.

how to set the retention policy of index

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor