Splunk Search

retention period



When i search in Splunk I only find logs in last 52 days I need to increase the retention period  to be available and searchable for 6 mounths how can I do it?

 Should I increase the Cold data ?

I have 3 indexers(Clustered) should I do it for 3 Indexers?

any advice please



Labels (1)
0 Karma


Hi @saeed,

You should set maxTotalDataSizeMB and frozenTimePeriodInSecs values.

maxTotalDataSizeMB should be calculated based on daily ingestion raw GB using below formula;

maxTotalDataSizeMB = DailyGB * 1024 * 180 / IndexerCount

If your index is ingesting 100GB/day raw data.
maxTotalDataSizeMB = 100 * 1024 * 180 / 3


maxTotalDataSizeMB = 6144000


frozenTimePeriodInSecs should be calculated based on retention days;

frozenTimePeriodInSecs = 86400 * RetentionMonths * 30

frozenTimePeriodInSecs = 86400 * 6 * 30


frozenTimePeriodInSecs = 15552000


More info can be found in below link;



If this reply helps you an upvote is appreciated.

If this reply helps you an upvote is appreciated.
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!