Knowledge Management

what are the files need to be deleted under splogs ?

Kaushikkatta03
Explorer

our indexers are completely filled
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_hsplunkp03_san-splunk_logs
5.6T 5.2T 115G 98% /splogs

What are the files to be deleted or to reduce the size

Tags (1)
0 Karma
1 Solution

sjohnson_splunk
Splunk Employee
Splunk Employee

The default retention time (except for _internal) is 6 years. You need to decide which indexes you need to keep and then set this in indexes.conf:

frozenTimePeriodInSecs =
* Number of seconds after which indexed data rolls to frozen.
* If you do not specify a coldToFrozenScript, data is deleted when rolled to
frozen.
* IMPORTANT: Every event in the DB must be older than frozenTimePeriodInSecs
before it will roll. Then, the DB will be frozen the next time splunkd
checks (based on rotatePeriodInSecs attribute).
* Highest legal value is 4294967295
* Defaults to 188697600 (6 years).

You can set this for each index or set it under the [default] stanza to have it apply to all indexes.

View solution in original post

0 Karma

sjohnson_splunk
Splunk Employee
Splunk Employee

The default retention time (except for _internal) is 6 years. You need to decide which indexes you need to keep and then set this in indexes.conf:

frozenTimePeriodInSecs =
* Number of seconds after which indexed data rolls to frozen.
* If you do not specify a coldToFrozenScript, data is deleted when rolled to
frozen.
* IMPORTANT: Every event in the DB must be older than frozenTimePeriodInSecs
before it will roll. Then, the DB will be frozen the next time splunkd
checks (based on rotatePeriodInSecs attribute).
* Highest legal value is 4294967295
* Defaults to 188697600 (6 years).

You can set this for each index or set it under the [default] stanza to have it apply to all indexes.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

What you need to do is to setup data retention policies on your data, so that undesired data is not kept on indexer and saved disk. See this for more details.

http://docs.splunk.com/Documentation/Splunk/6.4.2/Indexer/Setaretirementandarchivingpolicy

0 Karma

Kaushikkatta03
Explorer

Hello ,

We have the configuration set up to default , as the logs are in cold state so can we delete this old logs which are 3 years old .

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...