- Splunk Answers
- :
- Splunk Administration
- :
- Knowledge Management
- :
- Re: Index cleanup is not happening as expected
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Index cleanup is not happening as expected
Hi ,
I would like to cleanup the 1 year old files, so I have updated the settings as like below in Indexes.conf file and restarted splunk, but it didn't clean up my old data. Please find my indexes.conf below
[test]
coldpath = $SPLUNKDB/test/colddb
homepath = $SPLUNKDB/test/db
thawedpath = $SPLUNKDB/test/thaweddb
maxTotalDataSizeMB = 500000
frozenTimePeriodInSecs = 31556926
Let me know if I need to add any other entries or any modification this indexes.conf file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi Abilan1,
go in the path $ SPLUNK_HOME/etc/system/local/ OR $SPLUNK_HOME/etc/apps/your_apps/local and paste this stanza
[test]
coldpath = $SPLUNKDB/test/colddb
homepath = $SPLUNKDB/test/db
thawedpath = $SPLUNKDB/test/thaweddb
maxTotalDataSizeMB = 1000000
frozenTimePeriodInSecs = 31536000
next you restart splunk.
I think it should work
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ,
Do you want me to add the new entries on those files in different location? Whenever we create the new index, it updates indexes.conf file with details right? I am seeing the entries under splunk_management_console folder indexes.conf file. so I've updated frozen time details there. I am scared to add all the entries to those indexes.conf file, in case if it creates any other issues. Please advise.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
where is located your index.conf?
in $ SPLUNK_HOME / etc / system / local /?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ,
When I see my Index though Splunk Web, I can see it is in "splunk_management_console" not in system. (Settings > Indexes). I have checked $ SPLUNK_HOME / etc / system / local location, I don't see any entries on that indexes.conf file.
So when I checked in $ SPLUNK_HOME/splunk_management_console/system/local, I found my index related entry in indexes.conf file and I've updated frozen time here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The path $ SPLUNK_HOME/splunk_management_console/system/local doesn't sound like a valid configuration path. Are you sure that's the correct path? Maybe that path is symlinked into $SPLUNK_HOME/etc/system/local or in $SPLUNK_HOME/etc/apps ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have verified the path which you have given and I don't see any entries on that..Can you please confirm the entry(frozenTimePeriodInSecs = 31556926) which I've added into indexes.conf is enough to cleanup 1 year old data? Or any other related fields needs to be added to that?
Get the T-shirt to Prove You Survived Splunk University Bootcamp
Introducing the Splunk Community Dashboard Challenge!
Wondering How to Build Resiliency in the Cloud?
