Getting Data In

check retention settled into splunk using

pacifikn
Communicator

Hi all!

I need help on how to check retention set into splunk using splunk search
and other way we can check it and see time settled if the data will be deleted when?3months or 6 months?
and also how can we change it?

Thank you in advance

Labels (1)
Tags (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @pacifikn,
did you see the Splunk Monitoring Console [Settings -- Monitoring Console -- Indexes -- Indexes and Volumes -- Indexes and Volumes: Instance]?
If you need a search you can use and modify the search of the Indexes panel:

| rest splunk_server=DESKTOP-KBVMP9Q /services/data/indexes 
| eval frozenTimePeriodDay = round(frozenTimePeriodInSecs / 86400, 0)
| eval frozenTimePeriodDay = if(isnull(frozenTimePeriodDay) OR frozenTimePeriodDay == 0, "unlimited", frozenTimePeriodDay)
| table title frozenTimePeriodDay

Ciao.
Giuseppe

View solution in original post

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

You can run below query to find retention period of indexes.

| rest splunk_server=INDEXER_HOSTNAME/IP /services/data/indexes f=title f=frozenTimePeriodInSecs
| stats values(frozenTimePeriodInSecs) as frozenTimePeriodInSecs by title
| eval "Retention (In Days)" = frozenTimePeriodInSecs/86400

To set retention for the index, you need to set frozenTimePeriodInSecs parameter in indexes.conf

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @pacifikn,
did you see the Splunk Monitoring Console [Settings -- Monitoring Console -- Indexes -- Indexes and Volumes -- Indexes and Volumes: Instance]?
If you need a search you can use and modify the search of the Indexes panel:

| rest splunk_server=DESKTOP-KBVMP9Q /services/data/indexes 
| eval frozenTimePeriodDay = round(frozenTimePeriodInSecs / 86400, 0)
| eval frozenTimePeriodDay = if(isnull(frozenTimePeriodDay) OR frozenTimePeriodDay == 0, "unlimited", frozenTimePeriodDay)
| table title frozenTimePeriodDay

Ciao.
Giuseppe

0 Karma

pacifikn
Communicator

Dear @gcusello

I have a question, forexample if you set that the data will be deleted at 6 months, means the data will be delete the data for six months till now or it delete the data and remains the data with the current?

for example if you have started indexed the data in october.
means the retention for six months will delete all the data until next February???
which means if like we're in April ,means I can't see data for January and February?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @pacifikn,
as I said, logs of each are stored in buckets, for each bucket is defined an earliest and a latest date.
for deletion is relevat the earliest data. when the earliest event exceed the retention period, the entire bucket is discarded.

so, in your example:
if you have in a bucket events from 01/10/2019 to 31/12/2019 and you have a retention of six months, this full bucket will be discarded at 01/07/2020.
If you have other events of 31/12/2019 in another bucket with earlier events, they will not be discarded at 01/07/2020, e.g. if you have events of the 31/12/2019 in another bucket (e.g. with the earliest event at 10/03/2020), they will not be discarded at 01/07/2020, but when the earliest event of their bucket will exceed the retention period (10/09/2020).

Ciao.
Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @pacifikn,,
about the data deletion, remember that deletion is managed on buckets: when the earliest event in a bucket exceed the retention period, the bucket is frozen (deleted or frozen), this means that you could also have events that exceed the retention period because in the same bucket there are events that don't exceed.
To check this, you can still use the Monitoring console or use the above search adding also the latest time event in index.

To modify retention period, you have to set the frozenTimePeriodInSecs parameter in each index of indexes.conf

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...