Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Ideal indexes.conf

nawazns5038
Builder
‎03-08-2018 05:47 PM

Hi,

Can I please know the ideal configurations for indexes.conf ?

Should we include parameters like homePath.maxDataSizeMB , coldPath.maxDataSizeMB etc. ?

Or is it enough to specify only frozenTimePeriodInSecs

0 Karma
Reply

ddrillic
Ultra Champion
‎03-16-2018 06:38 PM

The two important ones are frozenTimePeriodInSecs and maxTotalDataSizeMB with the default of 1/2 TB.

0 Karma
Reply

deepashri_123
Motivator
‎03-08-2018 08:05 PM

Hey nawazns5038,

Your total retention period includes hot warm and cold buckets. There are default parameters in splunk from rolling hot to warm buckets and warm to cold, although can be changed. However frozenTimePeriodInSecs parameter decides when the bucket has to be deleted from Splunk, so adding this parameter should do the trick.

You can refer the doc below:
http://wiki.splunk.com/Deploy:BucketRotationAndRetention

Let me know if this helps!!

0 Karma
Reply

nawazns5038
Builder
‎03-13-2018 02:14 PM

Hi Deepa

homePath.maxDataSizeMB = 2000000
coldPath.maxDataSizeMB = 15664000
frozenTimePeriodInSecs = 2505600
maxTotalDataSizeMB = 34664000
maxDataSize = auto_high_volume
repFactor = auto

How does Splunk roll the buckets from hot to warm warm to cold based on the settings I mentioned above.

0 Karma
Reply

nawazns5038
Builder
‎03-13-2018 02:16 PM

If I just mention frozenTimePeriodInSecs as 30 days , how does Splunk roll the buckets exactly so that the data gets deleted in 30 days ?

Will adding the parameters like homePath.maxDataSizeMB , coldPath.maxDataSizeMB effect the rolling of buckets ?

0 Karma
Reply

deepashri_123
Motivator
‎03-13-2018 11:19 PM

You can refer this link to understand how bucket ages:
http://docs.splunk.com/Documentation/Splunk/7.0.2/Indexer/HowSplunkstoresindexes

When you mention frozenTimePeriodInSecs, this parameter decides the retention of bucket from coldpath and deletes the file from splunk

0 Karma
Reply

nawazns5038
Builder
‎03-16-2018 04:57 PM

It does not mention the way how Splunk rolls the buckets if we just mention the frozenTimePeriodInSecs .

The question is pretty straight forward, we set frozenTimePeriodInSecs = 30 days .... how does splunk roll the buckets so that data gets deleted by 30 days from the day it comes in .

you have mentioned that the "When you mention frozenTimePeriodInSecs, this parameter decides the retention of bucket from coldpath and deletes the file from splunk "
but there are stages in between which the data goes through to reach cold state.

0 Karma
Reply

nawazns5038
Builder
‎03-16-2018 05:03 PM

What if the data volume is low and is present only in the hot and warm buckets itself and didn't come into cold still and the period has exceeded 30 days ?
So the retention policy will not apply in this case ??

0 Karma
Reply

damiensurat
Contributor
‎03-08-2018 07:16 PM

This is a hard question ion to answer as the parameters you mention should be set to accommodate data size and retention time of your data. Being that data in Splunk index buckets will start to roll from hot to warm to cold and then frozen based on both the size and /or retention time I would suggest that you understand how much data you need to capture and retain as well as how long the data should remain available in the index. You can always increase / decrease the size and retention time as needed.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...