Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Setting searchable retention while creating Index from GUI

man03359
Communicator
‎02-28-2024 07:15 PM

Hi,

I am starting with splunk admin and is confused about one topic. It might be silly.

While creating an index, we get the option to set the Searchable Retention (in days), I have read from the documents that splunk has 4 bucket, hot, warm, cold, and frozen.

My question is suppose I have set it as 90 days, while this 90 days period will the data be in hot bucket for the entire 90 days and will roll to frozen after 90 days period is over. Also how different is setting 90 days under the Searchable Retention and setting this below-

[main]
frozenTimePeriodInSecs = 7,776,000

 Please explain.

Thanks in advance.

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-28-2024 09:48 PM

Hi @man03359 ,

at first, in frozenTimePeriodInSecs, don't use commas.

then, the meaning of the four statuses is the following:

Hot: just indexed data, in a bucket with in progress tsdindexes creation and usable for on-line searches,

Warm: data indexed from few days, that are used by the most searches and usable for on-line searches, they usually are located in high performances storage (at least 800 IOPS, better more),

Cold: not so recent data, used by few searches and usable for on-line searches, they usually are located in less expensive storages,

Frozen: data that are stored off line but that it's possible to recoved copying the entire bucket in the thawed folder, to have frozen data, you must configure Splunk to save them, by default dey are deleted.

Data roll to frozed after the earliest event of a bucket exceeds the retention period, for this reason you could have , in your searches, data before the retention period.

if you use a short retention period and you index few data, your bucket could directly pass from Warm to frozen or be deleted.

It's very difficoult that a data directly pass from Hot to Frozed because a bucket rolls from Hot to Warm when it reaches 10 GB or after three days, you should have a retention period less than three days and have less than 10 GB in this period.

For more details see at https://docs.splunk.com/Documentation/Splunk/9.2.0/Indexer/Setaretirementandarchivingpolicy and https://docs.splunk.com/Documentation/Splunk/9.2.0/Indexer/Howindexingworks

Ciao.

Giuseppe

0 Karma
Reply

man03359
Communicator
‎02-28-2024 10:25 PM

@gcusello 

So it means if we set the search retention period as 90 days under here-

man03359_0-1709186688393.png

It is stays at hot, warm, and cold during those 90 days and post 90 days rolls to frozen bucket?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-29-2024 12:13 AM

Hi @man03359,

this seems to be Splunk Cloud, in this case you don't need to manage the buckets.

Buckets managing and configuration is required only do on-premise installation.

For Splunk Cloud, you have only to define how long you want to store data, also because, by default, you have 90 day and if you want a longer period, you have to pay for the additional storage.

Ciao.

Giuseppe

 

Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...