I have this small Splunk Enterprise deployment in a lab that's air gapped. So I setup this deployment about 18 months ago. Recently I noticed, I am not rolling any data. I want to set retention peri...
See more...
I have this small Splunk Enterprise deployment in a lab that's air gapped. So I setup this deployment about 18 months ago. Recently I noticed, I am not rolling any data. I want to set retention period of 1 year for all the data. After checking the configuration, looks like I have # of Hot buckets set to auto (which is 3 by default, I assume) but I don't find any Warm buckets. So, everything is in Hot buckets. I am looking at few settings maxHotSpanSecs, frozenTimePeriodInSecs and maxVolumeDataSizeMB, that should roll data to warm and then cold buckets eventually. Under /opt/splunk/etc/system/local/indexes.conf maxHotSpanSecs is set to 7776000 frozenTimePeriodInSecs 31536000 maxVolumeDataSizeMB (not set) Under /opt/splunk/etc/apps/search/indexs.conf maxHotSpanSecs not set frozenTimePeriodInSecs 31536000 (for all the indexes) maxVolumeDataSizeMB (not set) Shouldn't frozenTimePeriodInSecs take precedent? Maybe, my maxVolumeDataSizeMB is set to too high. Do I need to change it? How do frozenTimePeriodInSecs and maxVolumeDataSizeMB affect each other? I thought frozenTimePeriodInSecs would override maxVolumeDataSizeMB