Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is multisite cluster retention policy?

hiph151
Explorer
‎03-18-2019 07:44 AM

Hi there,

A question regarding the retention policy approach in a clustered multi site-cluster two sites with each 3 indexers (replication factor 2+1).

We are planning a retention policy over 120 days and I feel the indexer's attitude towards cold to frozen is still somewhat unclear. Is that true that the cluster master handles the backup handling (coldToFrozen) and thus not every indexer pushes the cold buckets too frozen, otherwise we would have a huge storage space requirement.

https://answers.splunk.com/answers/241066/how-is-bucket-deletion-due-to-retention-managed-in.html

Many thanks!

0 Karma
Reply

nickhills
Ultra Champion
‎03-18-2019 09:35 AM

Each indexer manages its own cycling from cold->frozen (and indeed hot->warm->cold)
The default behaviour of which (if left unconfigured) is to delete the data once frozen.

It is true to say, the CM maintains the process on behalf of the cluster (ie marking buckets as frozen) but each indexer is responsible for removing (or freezing) its own copy of the data

If my comment helps, please give it a thumbs up!
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...