Getting Data In

How to edit my indexes.conf to configure an index to only retain data for 90 days?

rakesh_498115
Motivator

Hi Team,

I have created an index called "mysummary" for my Splunk app, and I want this index to store 90 days worth of data, so I have used the following configuration. i.e. at any time, I need to store only 90 days worth of data in this index.

I have seen the attribute "rotatePeriodInSecs" added to do the regular checks and roll the data after 90 days from the index and make it preserve only 90 days worth of data, but it's still not working as expected.

Can someone pls help here..

// Settings used now to store 91 days of logs.

[mysummary]
coldPath = volume:cold/mysummary/colddb
homePath = volume:hotwarm/mysummary/db
thawedPath = $SPLUNK_DB/cold/mysummary/thaweddb
maxHotSpanSecs = 7862400
frozenTimePeriodInSecs = 7862400
rotatePeriodInSecs = 60
repFactor = auto

thanks,
rakesh.

0 Karma

horsefez
SplunkTrust
SplunkTrust

Hi rakesh,

I can show you how I would configure an index, that should suffice your requirements.

[mysummary]
repFactor = auto
coldPath = volume:cold/mysummary/colddb
homePath = volume:hotwarm/mysummary/db
thawedPath = $SPLUNK_DB/cold/mysummary/thaweddb
frozenTimePeriodInSecs = 7776001 #90 days + 1 sec (ofc. you can do 91)

In my opinion, do not mess with default values of the maxHotSpanSecs parameter.

Regards,
pyro_wood

rakesh_498115
Motivator

Hi Pyro_wood..

Thanks for the update . I Have used the same setting previously but it didn't work as expected and could see data being there in my index more than 90 days. So only introduced these 2 attributes maxHotSpanSecs and rotatePeriodInSecs. Is this something you tested and working for u ??

thanks.
rakesh.

0 Karma

horsefez
SplunkTrust
SplunkTrust

Hi rakesh,

I never used maxHotSpanSecs and rotatePeriodInSecs to be completely honest. Using rotatePeriodInSecs with the value of "60" shouldn't cause any problems. Using maxHotSpanSecs in an indexer stanza with values that aren't default I would never do.

The Stanza I gave you is exactly the stanza I use for my indexes on the splunk instances at work. And It works fine there, indexed data is kept around as long as the frozenTimePeriodInSecs parameter is set to.

What splunk-version are you using?

0 Karma

horsefez
SplunkTrust
SplunkTrust

Hi rakesh,

you could set your maxHotSpanSecs = 86400
This ensures, that buckets are in sizes of a day. So after the data is stored for 90 days it gets deleted.

Maybe this helps:
https://answers.splunk.com/answers/442480/how-to-troubleshoot-why-frozentimeperiodinsecs-is.html

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...