How to purge old syslog events in Splunk?

benbeard · ‎08-26-2016

I can't for the life of me figure out how to purge old syslog entries in Splunk.

Tech details:
My 1st time using Splunk
Using Splunk on Windows Server 2012
Listening over UDP on 514 from Meraki devices.

Is there a way I can set a max number of entries and anything over the max falls off, or at least only keep the last 7-14 days of entries?

I'm currently at about 13,000,000 entries.

micahkemp · ‎08-26-2016

Event expiration happens at the index level. You can't (using normal Splunk practices) expire from a single sourcetype/host/etc.

Take a look at indexes.conf doc:
http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Indexesconf

maxTotalDataSizeMB =
* The maximum size of an index (in MB).
* If an index grows larger than the maximum size, the oldest data is frozen.
* This parameter only applies to hot, warm, and cold buckets. It does not
apply to thawed buckets.
* Highest legal value is 4294967295
* Defaults to 500000.

frozenTimePeriodInSecs =
* Number of seconds after which indexed data rolls to frozen.
* If you do not specify a coldToFrozenScript, data is deleted when rolled to
frozen.
* IMPORTANT: Every event in the DB must be older than frozenTimePeriodInSecs
before it will roll. Then, the DB will be frozen the next time splunkd
checks (based on rotatePeriodInSecs attribute).
* Highest legal value is 4294967295
* Defaults to 188697600 (6 years).

How to purge old syslog events in Splunk?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio