Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Setting searchable retention while creating Index from GUI

man03359
Communicator
‎02-28-2024 07:15 PM

Hi,

I am starting with splunk admin and is confused about one topic. It might be silly.

While creating an index, we get the option to set the Searchable Retention (in days), I have read from the documents that splunk has 4 bucket, hot, warm, cold, and frozen.

My question is suppose I have set it as 90 days, while this 90 days period will the data be in hot bucket for the entire 90 days and will roll to frozen after 90 days period is over. Also how different is setting 90 days under the Searchable Retention and setting this below-

[main]
frozenTimePeriodInSecs = 7,776,000

 Please explain.

Thanks in advance.

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-28-2024 09:48 PM

Hi @man03359 ,

at first, in frozenTimePeriodInSecs, don't use commas.

then, the meaning of the four statuses is the following:

Hot: just indexed data, in a bucket with in progress tsdindexes creation and usable for on-line searches,

Warm: data indexed from few days, that are used by the most searches and usable for on-line searches, they usually are located in high performances storage (at least 800 IOPS, better more),

Cold: not so recent data, used by few searches and usable for on-line searches, they usually are located in less expensive storages,

Frozen: data that are stored off line but that it's possible to recoved copying the entire bucket in the thawed folder, to have frozen data, you must configure Splunk to save them, by default dey are deleted.

Data roll to frozed after the earliest event of a bucket exceeds the retention period, for this reason you could have , in your searches, data before the retention period.

if you use a short retention period and you index few data, your bucket could directly pass from Warm to frozen or be deleted.

It's very difficoult that a data directly pass from Hot to Frozed because a bucket rolls from Hot to Warm when it reaches 10 GB or after three days, you should have a retention period less than three days and have less than 10 GB in this period.

For more details see at https://docs.splunk.com/Documentation/Splunk/9.2.0/Indexer/Setaretirementandarchivingpolicy and https://docs.splunk.com/Documentation/Splunk/9.2.0/Indexer/Howindexingworks

Ciao.

Giuseppe

0 Karma
Reply

man03359
Communicator
‎02-28-2024 10:25 PM

@gcusello 

So it means if we set the search retention period as 90 days under here-

man03359_0-1709186688393.png

It is stays at hot, warm, and cold during those 90 days and post 90 days rolls to frozen bucket?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-29-2024 12:13 AM

Hi @man03359,

this seems to be Splunk Cloud, in this case you don't need to manage the buckets.

Buckets managing and configuration is required only do on-premise installation.

For Splunk Cloud, you have only to define how long you want to store data, also because, by default, you have 90 day and if you want a longer period, you have to pay for the additional storage.

Ciao.

Giuseppe

 

Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...