Yello! So I'm trying to remove events in a specific index older than a year, and all the references I've found so far, such as the primary link to the retention policy setting page (http://docs.splunk.com/Documentation/Splunk/6.6.3/Indexer/Setaretirementandarchivingpolicy) have told me the same thing. I am pretty sure I'm following the directions correctly, but it's not working.
The indexes.conf in etc/system/local is as below:
[datindextho]
coldPath = $SPLUNK_DB\datindextho\colddb
homePath = $SPLUNK_DB\datindextho\db
frozenTimePeriodInSecs = 31536000
thawedPath = $SPLUNK_DB\datindextho\thaweddb
The index is currently showing events from two years ago. I want to cut everything back to maximum one year. So far setting it this way and restarting Splunk has not caused the index to be reduced. Do I need more information in this stanza? Thank you all for your help!
If you have a bucket that has events from two years ago that also has events from 364 days or less ago in the same bucket, then the events will remain there until the entire bucket is more than 1 year old. It only ages out buckets, so if you have a bucket that has events from today and 2 years ago, with a retention of one year, then the two year old events will still be there until they are 3 years old. You can delete events, bug that only makes them not visible. there will be no free disk space from a delete unless all the data in the bucket is beyond the retention period. USE delete
cautiously (and it usually requires changing the admin role to include that capability).
Thanks! I didn't know that buckets could contain events with such varying dates. 😞
There is a way to specify that the events not be outside a range, but by default the above is what you have to deal with.
If you have found this has answered your question you can accept the answer so that in the future others will know that the question has been answered when they are searching.