cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
charlesslover
Engager
Member since: ‎06-07-2018
‎11-03-2023
Community Statistics
Posts 2
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎06-07-2018
View All

Re: Culling older events in an index

by in Getting Data In
‎06-07-2018 12:53 PM
‎06-07-2018 12:53 PM
Thanks! I didn't know that buckets could contain events with such varying dates. 😞 ... View more

Culling older events in an index

by in Getting Data In
‎06-07-2018 12:39 PM
‎06-07-2018 12:39 PM
Yello! So I'm trying to remove events in a specific index older than a year, and all the references I've found so far, such as the primary link to the retention policy setting page (http://docs.splunk.com/Documentation/Splunk/6.6.3/Indexer/Setaretirementandarchivingpolicy) have told me the same thing. I am pretty sure I'm following the directions correctly, but it's not working. The indexes.conf in etc/system/local is as below: [datindextho] coldPath = $SPLUNK_DB\datindextho\colddb homePath = $SPLUNK_DB\datindextho\db frozenTimePeriodInSecs = 31536000 thawedPath = $SPLUNK_DB\datindextho\thaweddb The index is currently showing events from two years ago. I want to cut everything back to maximum one year. So far setting it this way and restarting Splunk has not caused the index to be reduced. Do I need more information in this stanza? Thank you all for your help! ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎11-03-2023 12:13 PM
Karma given to
View All