Knowledge Management

Retention Policy of an Index

Prakash493
Communicator

Hi , i am currently setting up the retention policy of an index for data roll over to frozen but i am currently setting data roll over to frozen after 6 months but i am intrested to move data from hot to warm after 2 months and after warm to cold after 3 months then lastly 6 months to frozen curretly below is my setting can you please suggest what modify i need to set for data move from hot to warm and warm to cold.

Indexes.conf
[test]
homePath = $SPLUNK_DB/test/db
ColdPath = $SPLUNK_DB/test/colddb
thawedPath = $SPLUNK_DB/test/thaweddb
repFactor = auto
coldToFrozenDir = $SPLUNK_DB/test/frozendb
coldToFrozenInSecs = 15552000

So after 6 months my data will roll into frozen , what extra setting i need to made above to make data roll over from hot to warm in 2 months and warm to cold after 2 months and after that will roll into frozen.

Tags (1)
0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Let me explain first how splunk roll data from Hot to Warm and from Warm to Cold and from Cold to Frozen. Below scenario explain bucket roll if you are not using volumes.

1.) Hot to Warm Bucket roll depends on 2-3 parameters. First splunk looks for maxDataSize (Default is auto means 750MB) and maxHotSpanSecs (Default is 90 days) in indexes.conf if any of the parameter reach it's limit then bucket will roll from hot to warm. If any of the limit is not reached and hot bucket will be idle then it will roll to warm when maxHotIdleSecs (Default is 90 days) limit will reach.

2.) Warm to Cold buckets roll depends on maxWarmDBCount (Default is 300 warm buckets) when index reaches maxWarmDBCount it will roll from warm to cold.

3.) Cold to Frozen roll depends on maxTotalDataSizeMB (Default is 500000 MB) and frozenTimePeriodInSecs (Default is 6 years) whichever hit first. frozenTimePeriodInSecs applies to all events in single bucket so until and unless all events in bucket are older than frozenTimePeriodInSecs bucket will not be removed.

Based on above parameter you can set these parameter as per your requirement but you will not able to achieve exact rolling of bucket after X months from Hot->Warm->Cold because few of the parameter is depend on number of bucket instead of time and if data is coming to indexer does not parse timestamp properly then you will end up with many buckets.

View solution in original post

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Let me explain first how splunk roll data from Hot to Warm and from Warm to Cold and from Cold to Frozen. Below scenario explain bucket roll if you are not using volumes.

1.) Hot to Warm Bucket roll depends on 2-3 parameters. First splunk looks for maxDataSize (Default is auto means 750MB) and maxHotSpanSecs (Default is 90 days) in indexes.conf if any of the parameter reach it's limit then bucket will roll from hot to warm. If any of the limit is not reached and hot bucket will be idle then it will roll to warm when maxHotIdleSecs (Default is 90 days) limit will reach.

2.) Warm to Cold buckets roll depends on maxWarmDBCount (Default is 300 warm buckets) when index reaches maxWarmDBCount it will roll from warm to cold.

3.) Cold to Frozen roll depends on maxTotalDataSizeMB (Default is 500000 MB) and frozenTimePeriodInSecs (Default is 6 years) whichever hit first. frozenTimePeriodInSecs applies to all events in single bucket so until and unless all events in bucket are older than frozenTimePeriodInSecs bucket will not be removed.

Based on above parameter you can set these parameter as per your requirement but you will not able to achieve exact rolling of bucket after X months from Hot->Warm->Cold because few of the parameter is depend on number of bucket instead of time and if data is coming to indexer does not parse timestamp properly then you will end up with many buckets.

0 Karma

Prakash493
Communicator

Thank you so much for clarification it really helps , if i just want to set my data will roll over to frozen after 6 months so is my above stanza is correct ?

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

After 6 months do you want to remove data from Splunk or do you want to move bucket to archived directory ?

0 Karma

Prakash493
Communicator

Yes please tell for both the cases if i want to archieve what i have to add and if i want to remove what i need to add will be helpfull.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

1.) Below configuration to remove data from Splunk after 6 months but this will create many buckets so use with caution because I don't know how much data will come to test index.

indexes.conf

[test]
homePath = $SPLUNK_DB/test/db
ColdPath = $SPLUNK_DB/test/colddb
thawedPath = $SPLUNK_DB/test/thaweddb
repFactor = auto
maxHotSpanSecs = 86400
frozenTimePeriodInSecs = 5184000

2.) Below configuration to roll data into archived directory, this will also generate many buckets.

indexes.conf

[test]
homePath = $SPLUNK_DB/test/db
ColdPath = $SPLUNK_DB/test/colddb
thawedPath = $SPLUNK_DB/test/thaweddb
repFactor = auto
maxHotSpanSecs = 86400
frozenTimePeriodInSecs = 5184000
coldToFrozenDir = < your archived directory path>
coldToFrozenScript = < your path to script >
0 Karma

Prakash493
Communicator

Thank you so much will solve my issue

0 Karma
Get Updates on the Splunk Community!

This Week's Community Digest - Splunk Community Happenings [9.26.22]

Get the latest news and updates from the Splunk Community here! Upcoming User Group Events! &#x1f44f; Check ...

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...