Deployment Architecture

Data storage retention for 30 days of data

pb0543
Explorer

I have a 6.x environment and I want to configure splunk to only retain the last 30 days worth of data. How do I configure this for each indexer. I have 315 GB per indexer. I have 5 indexers. I only want to retain the last 30 days of data on each indexer. I see data files in my indexers(db) that are from 2014 and 2015 in this directory path - /opt/tools/splunk/var/lib/splunk. I setup two indexes, but I also see quite a bit data files in the defaultdb.

0 Karma

ddrillic
Ultra Champion

You can use the frozenTimePeriodInSecsconfig variable.

How is frozenTimePeriodInSecs applied?

speaks about it... something like -

     [90day_index]
     frozenTimePeriodInSecs = 7776000

     [forever_index]
     frozenTimePeriodInSecs = 188697600
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Have look at SPlunk doc for this

http://docs.splunk.com/Documentation/Splunk/6.2.6/Indexer/Setaretirementandarchivingpolicy#Set_attri...

Since you've limited/smaller space then splunk's default index size 500,000MB, I would suggest to set both maxTotalDataSizeMB and frozenTimePeriodInSecs.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this answer: https://answers.splunk.com/answers/389658/what-will-break-if-i-set-coldpath-to-devnull.html

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...