uberAgent Support

How to Configure Data Retention

Splunk is very flexible with regards to data retention. You can configure when data is old enough to be deleted (after optionally being archived elsewhere). The place to do this is the file indexes.conf in uberAgent's app directory.

uberAgent stores its data in its own index called uberagent. The default configuration for the uberagent index comes from the file [uberagent app directory]\default\indexes.conf:

[uberagent]
homePath = $SPLUNK_DB/uberagent/db
coldPath = $SPLUNK_DB/uberagent/colddb
thawedPath = $SPLUNK_DB/uberagent/thaweddb
maxMemMB = 20
maxConcurrentOptimizes = 6
maxHotIdleSecs = 86400
maxHotBuckets = 10
maxDataSize = auto_high_volume

Important: Do not change this file! If you do, your changes will be lost when the application is updated. Instead, create a new indexes.conf in the app's local subdirectoy. Settings from local/indexes.conf overwrite settings from default/indexes.conf.

The Splunk documentation page Configure index storage lists the relevant settings from indexes.conf. The most important settings for controlling index storage and data retention are:

frozenTimePeriodInSecs: Absolute time in seconds after which data is deleted (default) or archived (if configured). The default is approximately 6 years.

maxTotalDataSizeMB: Maximum total size of the index in MB. The default is 500,000 MB. When the index reaches this size, the oldest buckets (data directores) are "rolled to frozen", a process that triggers archival (if configured) and subsequent deletion.

By the way, Splunk will never completely fill your disks. By default it stops accepting new data when the free disk space reaches 2,000 MB.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk