- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Rotating Data to Frozen After Time Period
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rotating Data to Frozen After Time Period
What is the best way to rotate events into Frozen OR delete events that are older than 18 months?
I can think of a few off the top of my head but what is the best or indented way to do this?
1) indexes.conf?
frozenTimePeriodInSecs seems to require a script? Why not just to the frozen dir identified in settings?
2) Run delete searches w/ a timespan?
3) A better way?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As long as you specify coldToFrozenDir in your indexes.conf you shouldn't have any problems using frozenTimePeriodInSecs and set it to 1555200 (seconds in 18 days)
Here is the documentation:
http://docs.splunk.com/Documentation/Splunk/6.0.1/Indexer/Configureindexstorage
and here:
http://docs.splunk.com/Documentation/Splunk/6.0.1/Indexer/Setaretirementandarchivingpolicy
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good point... I was assuming retention was necessary when in fact it is not a requirement.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Data is frozen irrespective of it's location if the threshold for the setting is reached. Data can exist in the homePath and still be frozen. If you were to create a test index with a very short retention period (1h, for instance), it's very likely that as soon as a bucket rolls to warm, it'll disappear to bring the index retention policy back into compliance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's actually in the indexes.conf documentation:
maxHotSpanSecs
http://docs.splunk.com/Documentation/Splunk/6.0.1/admin/Indexesconf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you! How do I configure the duration for the Hot/Warm to Cold bucket move?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
however it will not be rolled into frozen until it has completed it's journey into cold, which would have to be set to 18 days as well, not to mention the hot/warm time. So the data will remain for 36 days in this scenario with the option of restoring the frozen 18 days of data at any given point
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The information in this post may assist you, Basically you can setup how long something should be in a specified bucket, You can say that something can stay in cold for 18 months and then it will automatically be deleted (if no frozen script is specified), However the data will be as old as the Hot/warm time as well, before starting it's journey into cold.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
