I want to delete logs permanently from each indexer present inside the indexer cluster using a search query for 3 months.
The below query provides me the with the output of the raw logs older then 3 months
source=* sourcetype=* host=* latest=-90d@d earliest=0
Found out that delete command doesn't delete the logs completely from the disk and the remove command cannot be used in index cluster environment.
Is it that i have to rely only on the bucket rolling parameter set?
Is it necessary to mention each parameter in indexs.conf ?
Or only if i mention frozenTimePeriodInSecs = is enough ?
↧