retention period

saeed · ‎01-05-2021

Hi

When i search in Splunk I only find logs in last 52 days I need to increase the retention period to be available and searchable for 6 mounths how can I do it?

Should I increase the Cold data ?

I have 3 indexers(Clustered) should I do it for 3 Indexers?

any advice please

thanks

scelikok · ‎01-05-2021

Hi @saeed,

You should set maxTotalDataSizeMB and frozenTimePeriodInSecs values.

maxTotalDataSizeMB should be calculated based on daily ingestion raw GB using below formula;

maxTotalDataSizeMB = DailyGB * 1024 * 180 / IndexerCount

If your index is ingesting 100GB/day raw data.
maxTotalDataSizeMB = 100 * 1024 * 180 / 3

maxTotalDataSizeMB = 6144000

frozenTimePeriodInSecs should be calculated based on retention days;

frozenTimePeriodInSecs = 86400 * RetentionMonths * 30

frozenTimePeriodInSecs = 86400 * 6 * 30

frozenTimePeriodInSecs = 15552000

More info can be found in below link;

https://docs.splunk.com/Documentation/Splunk/8.1.1/Indexer/Setaretirementandarchivingpolicy#Set_attr...

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

retention period

search job inspector

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!