Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

retention period

saeed
Explorer
‎01-05-2021 10:24 PM

Hi

When i search in Splunk I only find logs in last 52 days I need to increase the retention period  to be available and searchable for 6 mounths how can I do it?

 Should I increase the Cold data ?

I have 3 indexers(Clustered) should I do it for 3 Indexers?

any advice please

thanks

 

Labels (1)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-05-2021 11:23 PM

Hi @saeed,

You should set maxTotalDataSizeMB and frozenTimePeriodInSecs values.

maxTotalDataSizeMB should be calculated based on daily ingestion raw GB using below formula;

maxTotalDataSizeMB = DailyGB * 1024 * 180 / IndexerCount

If your index is ingesting 100GB/day raw data.
maxTotalDataSizeMB = 100 * 1024 * 180 / 3

 

maxTotalDataSizeMB = 6144000

 

frozenTimePeriodInSecs should be calculated based on retention days;

frozenTimePeriodInSecs = 86400 * RetentionMonths * 30

frozenTimePeriodInSecs = 86400 * 6 * 30

 

frozenTimePeriodInSecs = 15552000

 

More info can be found in below link;

https://docs.splunk.com/Documentation/Splunk/8.1.1/Indexer/Setaretirementandarchivingpolicy#Set_attr...

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote is appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...