Need 12 months hot data, 3 months cold, nothing else
I put the following in /opt/splunk/etc/system/local/indexes.conf:
[main]
frozenTimePeriodInSecs = 39312000
That setting is supposed to remove anything over 1.25 years old in my data.
Then I restarted splunk, but the size of the indexes did not go down and I still have less than 500MB remaining in my partition, so that server is not accepting input from forwarders. The files taking up 60% of that space are in /local/splunk/hot/named_application/db* files, and did not change after restarting the server.
Shouldn't the setting added to indexes.conf have removed anything over 39312000 seconds (1.25 years) old from my indexes? I am using Splunk 6.5.2.
The documentation from Splunk is a convoluted mess. Please don't answer by saying "Read this" and pointing me to a user manual.
Thanks for your help,
George
↧