Hello,
I got a problem, I dont have space anymore and I want to delete data thats older than X days manually,
I've tried:
frozenTimePeriodInSecs = 2592000
but SPLUNK is not deleting it.
I cant search anymore because I have no disk space anymore so what can I do?
Hi all,
well "| delete" will not delete it but only mark it as deleted. It will not give you any space back on filesystem. The much better way is using frozenTimePeriodInSecs. Are you sure that you restarted your indexers. verify with splunk btool indexes list INDEXNAME --debug that setting is really applied. should work.
Regards,
Andreas
Hi all,
well "| delete" will not delete it but only mark it as deleted. It will not give you any space back on filesystem. The much better way is using frozenTimePeriodInSecs. Are you sure that you restarted your indexers. verify with splunk btool indexes list INDEXNAME --debug that setting is really applied. should work.
Regards,
Andreas
Hi @schose,
I tried "frozenTimePeriodInSecs = x secs" parameter. but Instead of deleting the data from disk, it deleted the tsidx files and moved the raw data files to frozen directory.
Any idea on how can I permanently remove that data from disk?
@schose,
so, after marking some data as deleted thru "delete" command, how can we claim the filesystem space?!?!
there is no way. you have to fade it out using frozenTimePeriodInSecs or reindex the data.
I've found this:
[main]
frozenTimePeriodInSecs = 15778800
etc.
But if I do splunk btool indexes list, I see multiple frozenTimePeriodInSecs lines, so did I put it in the proper file?
P.S. Sorry but i'm really new to SPLUNK so sorry if im asking dumb questions.
Hi, we are all starting at a certain point.. in which index you want to delete the "old data"? if you are running splunk btool indexes list INDEXNAME --debug and replace INDEXNAME with the name of your index you want to delete the data from you will see the frozenTimePeriodInSecs from the configfile splunk is using. never edit any indexes.conf in a default directory, until you are really sure you know what you are doing.
you can create a etc/system/local/indexes.conf file and create stanza
[myindex]
frozenTimePeriodInSecs = 7200
this will keep data in the index for 2 hours,
regards,
Andreas
Ahh okey thanks 🙂
I got it now, appreciate the help!
Regards,
Nick
I think, that settings will be only for new datas. you can search and delete it -
Your-index earliest=older-date latest=old-date |delete
NOTE - indexed data deletion is irreversible.
As I said unfortunately I cant search anymore, If I want to search, I get this error : Search not executed: The minimum free disk space (50MB) reached for /opt/data/splunk/var/run/splunk/dispatch
oh ok, i thought this issue, then answered above without a cross-thought.
i am not sure, maybe, try to delete using splunk CLI commandline, if possible.