Solved: Index Retention by Time Only

aferone · ‎02-21-2012

We would like to retain data in our indexes by time only. Is this possible? I think I am doing it correctly for our internal index by using the following line, for 90 days:

frozenTimePeriodInSecs = 7776000

Is this correct, and can I use this line to retain indexes solely on time for all indexes, instead on disk size?

Thanks!

_d_ · ‎02-21-2012

Yes, this is correct. However, as a precaution I would also suggest setting maxTotalDataSizeMB to a reasonably large value so that frozenTimePeriodInSecs hits before it does.

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

View solution in original post

_d_ · ‎02-21-2012

Yes, this is correct. However, as a precaution I would also suggest setting maxTotalDataSizeMB to a reasonably large value so that frozenTimePeriodInSecs hits before it does.

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

_d_ · ‎02-21-2012

Yes. Splunk will freeze data when either of maxtotaldatasizeMB or frozenTimePeriodInSecs is reached first. So, if you reach a size of 500GB (which is the defult maxtotaldatasizeMB), say, on day 61, old data will be frozen even though it's not 90 days old.

aferone · ‎02-21-2012

Thanks for answering! Can you explain the need for setting the maxtotaldatasizeMB though? Is it just as a fail safe?

Index Retention by Time Only

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...