Deployment Architecture

What is multisite cluster retention policy?

hiph151
Explorer

Hi there,

A question regarding the retention policy approach in a clustered multi site-cluster two sites with each 3 indexers (replication factor 2+1).

We are planning a retention policy over 120 days and I feel the indexer's attitude towards cold to frozen is still somewhat unclear. Is that true that the cluster master handles the backup handling (coldToFrozen) and thus not every indexer pushes the cold buckets too frozen, otherwise we would have a huge storage space requirement.

https://answers.splunk.com/answers/241066/how-is-bucket-deletion-due-to-retention-managed-in.html

Many thanks!

0 Karma

nickhills
Ultra Champion

Each indexer manages its own cycling from cold->frozen (and indeed hot->warm->cold)
The default behaviour of which (if left unconfigured) is to delete the data once frozen.

It is true to say, the CM maintains the process on behalf of the cluster (ie marking buckets as frozen) but each indexer is responsible for removing (or freezing) its own copy of the data

If my comment helps, please give it a thumbs up!
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...