Knowledge Management

Data Retention using Summary Indexes

ManishaAgrawal
Explorer

My data has is spread across multiple indexes and has several event types. I have to set different retention policies for them.
Is it possible to use summary index, one for each eventtype and set a different retention policy for each of them ?

Idea is to collect events from main index into summary index on a daily/weekly basis and then set a retention policy for the index.

Is there any other way to collect and move data from index to another in Splunk 6.

0 Karma

jeremiahc4
Builder

I've used the summary index for maintaining summarized data long term. By summarizing it, you are reducing the size of the data, and therefore are able to store it longer without any modifications to retention.

If you are looking at legal retention, where the data has to be in original form, then I'd suggest defining your frozen areas for the indexes in lieu of the summary index. I believe once you dump stuff out to a frozen index, that file can be archived off (i.e. moved to tape), but please check that first. See below;

http://docs.splunk.com/Documentation/Splunk/6.0.3/Indexer/Setaretirementandarchivingpolicy

0 Karma

akarivaratharaj
Communicator

Hi,

Is there any separate Data Retention Policy for the sourcetype 'stash'? Or does it behaves as per the summary or other indexing Retention Policies?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...