Retention index or log 90 days

jirakritwang · ‎07-04-2014

Hi. I use Splunk 6.1 free version, Can i config splunk for keep index or log 90 days and delete index or log older than 90 days.

Thank you.
Jira

Ayn · ‎07-04-2014

Yes. Check out the frozenTimePeriodInSecs setting in indexes.conf. By setting this to 7776000 (90 days in seconds) Splunk will delete data in its index when it becomes older than this limit. You're asking about deleting "index or log" - not sure what you mean by that, but Splunk will not delete any of the actual log files that it's read data from, that's something you need to set up separately.

http://docs.splunk.com/Documentation/Splunk/6.1/Admin/Indexesconf

somesoni2 · ‎08-05-2014

The data older than frozenTimePeriodInSecs will get deleted from Splunk. This setting is per index, not global. Setting a higher value of frozenTimePeriodInSecs for summary indexes will ensure that summary index data is retained for longer period.

dhavamanis · ‎08-05-2014

Thank you!, i want to delete the indexed data / log. Sorry for the confusion. seems this frozenTimePeriodInSecs needs to enable per index, not for global. can you please confirm?. Also can you please provide the steps to retain summary index as historical data.

Retention index or log 90 days

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?