How to Configure Data Retention
Splunk is very flexible with regards to data retention. You can configure when data is old enough to be deleted (after optionally being archived elsewhere). The place to do this is the file
indexes.conf in uberAgent’s app directory.
uberAgent stores its data in its own index called
uberagent. The default configuration for the uberagent index comes from the file
[uberagent app directory]\default\indexes.conf:
[uberagent] homePath = $SPLUNK_DB/uberagent/db coldPath = $SPLUNK_DB/uberagent/colddb thawedPath = $SPLUNK_DB/uberagent/thaweddb maxMemMB = 20 maxConcurrentOptimizes = 6 maxHotIdleSecs = 86400 maxHotBuckets = 10 maxDataSize = auto_high_volume
Important: Do not change this file! If you do, your changes will be lost when the application is updated. Instead, create a new indexes.conf in the app’s
local subdirectory. Settings from
local/indexes.conf overwrite settings from
The Splunk documentation page Configure index storage lists the relevant settings from
indexes.conf. The most important settings for controlling index storage and data retention are:
frozenTimePeriodInSecs:Absolute time in seconds after which data is deleted (default) or archived (if configured). The default is approximately 6 years.
maxTotalDataSizeMB:Maximum total size of the index in MB. The default is 500,000 MB. When the index reaches this size, the oldest buckets (data directories) are “rolled to frozen”, a process that triggers archival (if configured) and subsequent deletion.
By the way, Splunk will never completely fill your disks. By default, it stops accepting new data when the free disk space reaches 2,000 MB.