- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- How do I expire a bucket with future events?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I realize buckets die off as the newest event surpasses the expiration date. I also understand that deleting events do not remove the events, simply mask them from appearing in search results.
My question is, do deleted events count when Splunk decides on when to expire a bucket file? In other words, does deleting an event remove it from Splunk's calculations for expiration? I am looking for a way to manage an index corrupted with future events, other than manually deleting very old files manually, when the time comes. The other events in the index are valid and needed.
I am using Splunk version 4.3.4, soon to be upgraded to version 5.x.
This is related to my Splunk-Base "How do i configure an index to manage future events" question. An answer here or there may solve both.
Please correct me if I misunderstand anything and thanks for the help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think that deleting events will not affect how a bucket is frozen. I believe that the only parameter involved in that decision is the timestamp in the name of the directory where the data is stored. For each bucket directory the naming convention is;
db_newestTimestamp_oldestTimeStamp_sequenceNo
I don't think that Splunk will change the name of the bucket when data is deleted.
/k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kristian, convert your comment to an answer and I'll accept.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kristian is right. Splunk cannot manage buckets on an event by event basis. You can use an epoch time converter to check the timestamps on your buckets: www.epochconverter.com/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good point! Perhaps there is a search that I can run to identify the buckets I'd need to manually handle after a couple of years?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think that deleting events will not affect how a bucket is frozen. I believe that the only parameter involved in that decision is the timestamp in the name of the directory where the data is stored. For each bucket directory the naming convention is;
db_newestTimestamp_oldestTimeStamp_sequenceNo
I don't think that Splunk will change the name of the bucket when data is deleted.
/k
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
