Re: Reduce size of index after amount of time

gpareesi11 · ‎03-09-2016

Hi,
I'm currently looking if it possible to reduce the amount of data store in index after 6 months.

Example:
I'm collecting CPU performance metric at each second for my server, after 6 months is it possible to reduce the size by keeping only CPU performance metric on 5 minutes interval for the next 6 months ?

Thank you

richgalloway · ‎03-09-2016

Once data is indexed it cannot be deleted until the whole bucket ages out. There is a delete command, but it hides data rather than remove it.

---
If this reply helps you, Karma would be appreciated.

gpareesi11 · ‎03-09-2016

I understand this part, but when the bucket ages out, I don't need to delete everything but keep a different log interval to reduce the amount of data kept on storage.

I still need some dashboard and report but based on 5 minutes log interval instead of 1 second ?

Thank you

richgalloway · ‎03-09-2016

Consider a summary index. Sample your 6-month-old data at 5-minute intervals and write it to a summary index with its own 6-month lifespan.

---
If this reply helps you, Karma would be appreciated.

gpareesi11 · ‎03-09-2016

Great thanks

Reduce size of index after amount of time

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?