Hi @schose,

I tried "frozenTimePeriodInSecs = x secs" parameter. but Instead of deleting the data from disk, it deleted the tsidx files and moved the raw data files to frozen directory.

Any idea on how can I permanently remove that data from disk?

@schose,
so, after marking some data as deleted thru "delete" command, how can we claim the filesystem space?!?!

there is no way. you have to fade it out using frozenTimePeriodInSecs or reindex the data.

I've found this:

[main]
frozenTimePeriodInSecs = 15778800
etc.

But if I do splunk btool indexes list, I see multiple frozenTimePeriodInSecs lines, so did I put it in the proper file?

P.S. Sorry but i'm really new to SPLUNK so sorry if im asking dumb questions.

Hi, we are all starting at a certain point.. in which index you want to delete the "old data"? if you are running splunk btool indexes list INDEXNAME --debug and replace INDEXNAME with the name of your index you want to delete the data from you will see the frozenTimePeriodInSecs from the configfile splunk is using. never edit any indexes.conf in a default directory, until you are really sure you know what you are doing.
you can create a etc/system/local/indexes.conf file and create stanza

[myindex]
frozenTimePeriodInSecs = 7200

this will keep data in the index for 2 hours,

regards,

Andreas

Ahh okey thanks 🙂

I got it now, appreciate the help!

Regards,

Nick

As I said unfortunately I cant search anymore, If I want to search, I get this error : Search not executed: The minimum free disk space (50MB) reached for /opt/data/splunk/var/run/splunk/dispatch

oh ok, i thought this issue, then answered above without a cross-thought.
i am not sure, maybe, try to delete using splunk CLI commandline, if possible.