Re: Data storage retention for 30 days of data

pb0543 · ‎05-06-2016

I have a 6.x environment and I want to configure splunk to only retain the last 30 days worth of data. How do I configure this for each indexer. I have 315 GB per indexer. I have 5 indexers. I only want to retain the last 30 days of data on each indexer. I see data files in my indexers(db) that are from 2014 and 2015 in this directory path - /opt/tools/splunk/var/lib/splunk. I setup two indexes, but I also see quite a bit data files in the defaultdb.

ddrillic · ‎05-06-2016

You can use the frozenTimePeriodInSecsconfig variable.

How is frozenTimePeriodInSecs applied?

speaks about it... something like -

     [90day_index]
     frozenTimePeriodInSecs = 7776000

     [forever_index]
     frozenTimePeriodInSecs = 188697600

somesoni2 · ‎05-06-2016

Have look at SPlunk doc for this

http://docs.splunk.com/Documentation/Splunk/6.2.6/Indexer/Setaretirementandarchivingpolicy#Set_attri...

Since you've limited/smaller space then splunk's default index size 500,000MB, I would suggest to set both maxTotalDataSizeMB and frozenTimePeriodInSecs.

richgalloway · ‎05-06-2016

Try this answer: https://answers.splunk.com/answers/389658/what-will-break-if-i-set-coldpath-to-devnull.html

---
If this reply helps you, Karma would be appreciated.

Data storage retention for 30 days of data

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!