uberAgent

How to Configure Data Retention

Splunk is very flexible with regards to data retention. You can configure when data is old enough to be deleted (after optionally being archived elsewhere). The place to do this is the file indexes.conf in uberAgent’s app directory.

uberAgent stores its data in its own index called uberagent. The default configuration for the uberagent index comes from the file [uberagent app directory]\default\indexes.conf:

[uberagent]
homePath = $SPLUNK_DB/uberagent/db
coldPath = $SPLUNK_DB/uberagent/colddb
thawedPath = $SPLUNK_DB/uberagent/thaweddb
maxMemMB = 20
maxConcurrentOptimizes = 6
maxHotIdleSecs = 86400
maxHotBuckets = 10
maxDataSize = auto_high_volume
<!--NeedCopy-->

Important: Do not change this file! If you do, your changes will be lost when the application is updated. Instead, create a new indexes.conf in the app’s local subdirectory. Settings from local/indexes.conf overwrite settings from default/indexes.conf.

The Splunk documentation page Configure index storage lists the relevant settings from indexes.conf. The most important settings for controlling index storage and data retention are:

  • frozenTimePeriodInSecs: Absolute time in seconds after which data is deleted (default) or archived (if configured). The default is approximately 6 years.
  • maxTotalDataSizeMB: Maximum total size of the index in MB. The default is 500,000 MB. When the index reaches this size, the oldest buckets (data directories) are "rolled to frozen", a process that triggers archival (if configured) and subsequent deletion.

By the way, Splunk will never completely fill your disks. By default, it stops accepting new data when the free disk space reaches 2,000 MB.

How to Configure Data Retention

In this article