Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What Should I Expect After Implementing A Retirement Policy?

gph12
Explorer
‎11-17-2017 06:48 AM

Hello,

I'm looking for advice\info on how retirement polices work in practice. Based on this document, I set a retirement policy for 1 index to start with to remove data older than 2 years. I set it to:
frozenTimePeriodInSecs = 63072000

What can I expect after doing this? I have seen the number of events in one index go down from 429 million to 421 million. But there are still events older than two years.

Is there a process or log that shows the retirement activity--such has how many events were removed on a particular day\week\month?

I presume the index itself will not be reduced in size, just the number of events. Is that correct?

If the index does not shrink, will new events fill up the white space made available by retired events? Or will the index continue to grow? (I have two conflicting goals--I don't want to run out of disk space but I have a compliance requirement to keep events for a certain period of time. Otherwise, I would set a maximum size on the indexes.

Thanks in advance.

0 Karma
Reply

somesoni2
Revered Legend
‎11-17-2017 07:49 AM

Data retirement policies doesn't work on per event basis, instead it works on data buckets for that index. It'll only delete, cold stage, buckets only when the latest event in that bucket is older than the set frozenTimePeriodInSecs . (say in a bucket you've data with _time ranging from 10/04/2015 to 11/18/2015, that bucket won't be deleted because the latest event on the bucket, 11/18/2015 is not older than 2 years from now, even though it contains other events which are older).

I would suggest a read of this to understand the retention policies better.
https://docs.splunk.com/Documentation/Splunk/7.0.0/Indexer/Setaretirementandarchivingpolicy

0 Karma
Reply

gph12
Explorer
‎11-17-2017 08:37 AM

Thanks for the comment. Yes, that's the document I tried to link but it didn't take for some reason.

Your explanation of buckets and the time ranges makes sense. Thanks again.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...