- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to edit my indexes.conf to configure an index ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to edit my indexes.conf to configure an index to only retain data for 90 days?
Hi Team,
I have created an index called "mysummary" for my Splunk app, and I want this index to store 90 days worth of data, so I have used the following configuration. i.e. at any time, I need to store only 90 days worth of data in this index.
I have seen the attribute "rotatePeriodInSecs" added to do the regular checks and roll the data after 90 days from the index and make it preserve only 90 days worth of data, but it's still not working as expected.
Can someone pls help here..
// Settings used now to store 91 days of logs.
[mysummary]
coldPath = volume:cold/mysummary/colddb
homePath = volume:hotwarm/mysummary/db
thawedPath = $SPLUNK_DB/cold/mysummary/thaweddb
maxHotSpanSecs = 7862400
frozenTimePeriodInSecs = 7862400
rotatePeriodInSecs = 60
repFactor = auto
thanks,
rakesh.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi rakesh,
I can show you how I would configure an index, that should suffice your requirements.
[mysummary]
repFactor = auto
coldPath = volume:cold/mysummary/colddb
homePath = volume:hotwarm/mysummary/db
thawedPath = $SPLUNK_DB/cold/mysummary/thaweddb
frozenTimePeriodInSecs = 7776001 #90 days + 1 sec (ofc. you can do 91)
In my opinion, do not mess with default values of the maxHotSpanSecs parameter.
Regards,
pyro_wood
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Pyro_wood..
Thanks for the update . I Have used the same setting previously but it didn't work as expected and could see data being there in my index more than 90 days. So only introduced these 2 attributes maxHotSpanSecs and rotatePeriodInSecs. Is this something you tested and working for u ??
thanks.
rakesh.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi rakesh,
I never used maxHotSpanSecs and rotatePeriodInSecs to be completely honest. Using rotatePeriodInSecs with the value of "60" shouldn't cause any problems. Using maxHotSpanSecs in an indexer stanza with values that aren't default I would never do.
The Stanza I gave you is exactly the stanza I use for my indexes on the splunk instances at work. And It works fine there, indexed data is kept around as long as the frozenTimePeriodInSecs parameter is set to.
What splunk-version are you using?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi rakesh,
you could set your maxHotSpanSecs = 86400
This ensures, that buckets are in sizes of a day. So after the data is stored for 90 days it gets deleted.
Maybe this helps:
https://answers.splunk.com/answers/442480/how-to-troubleshoot-why-frozentimeperiodinsecs-is.html
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
