Data retention

When you send data to Splunk Cloud Platform, it is stored in indexes and you can self-manage your Splunk Cloud Platform indexes settings using the Indexes page in Splunk Web. Splunk Cloud Platform retains data based on index settings that enable you to specify when data is to be deleted. To configure different data retention settings for different sources of data, store the data in separate indexes according to the desired retention policy. You can configure different data retention policies for individual indexes according to your auditing and compliance requirements.

Each index lets you specify the maximum age of events in the Index (specified in the Retention (days) field on the Indexes page) that the service uses to determine when to delete data. When the index reaches the specified maximum size or events reach the specified maximum age, the oldest data is deleted. When data is deleted from the index, it is no longer searchable by Splunk Cloud Platform.

The following are the types of storage available in a Splunk Cloud Platform subscription:

• Dynamic Data Active Searchable (DDAS) is used for searching ingested data. DDAS is also commonly known as searchable storage. You can optionally purchase additional DDAS in 500 GB increments.
• Dynamic Data Active Archive (DDAA) is used as a long term storage and data in DDAA can be restored to DDAS to be searched. You can optionally purchase additional DDAA in 500 GB increments.

For both DDAS and DDAA, you can choose to have your data encrypted at rest using AES 256-bit encryption for an additional charge. If you choose encryption at rest, Splunk manages the encryption keys on your behalf by default. If available in your region, you have the option to manage the encryption keys instead.

You can review your storage consumption in the Cloud Monitoring Console app included in your Splunk Cloud Platform environment. The app provides information such as the amount of data stored and the number of days of retention for each index.

For more information about the data that Splunk retains and maintains on your behalf, see the Ensures Splunk Cloud Platform uptime and security section in Splunk maintenance responsibilities.

Dynamic Data Active Searchable (DDAS)

DDAS in your Splunk Cloud Platform environment should be sized based on the volume of uncompressed data that you want to index on a daily basis. For workload-based subscriptions, you purchase DDAS based on your data retention requirements that provide you the flexibility to tailor the variability in your use case. For example, if your forecasted daily volume of uncompressed data is 1 TB and your searchable retention need is 365 days, your Splunk Cloud Platform environment should be sized to have 365 TB of DDAS. Refer to the Splunk General Terms for Splunk's policy for Overages. Ingest-based subscriptions include sufficient DDAS to allow you to store up to 90 days of your uncompressed data. For example, if your daily volume of uncompressed data is 100 GB, your Splunk Cloud Platform environment will have 9000 GB (9 TB) of DDAS. Note the following:

• If you ingested far more data than your initial estimate and thus exceeded your entitled DDAS capacity, the Splunk Cloud Platform service elastically expands the amount of DDAS to retain your data per your retention settings.
• While DDAS is elastically expanded to ensure your data does not prematurely age out, consistently over ingesting beyond estimated may impact search performance.

Dynamic Data Active Archive (DDAA)

If you require a lower cost option for long term storage of data, you can optionally augment Splunk Cloud Platform with DDAA. As data ages from DDAS based on your index retention setting, the aged data is automatically moved to DDAA before deletion. Data remains in DDAA until the DDAA retention setting that you specify expires.

Your DDAA subscription enables you to perform restores, subject to the amount of DDAS you have purchased as part of your Splunk Cloud Platform subscription. An additional 10% of DDAS is included with your DDAA subscription to assist with restores. The 10% is calculated based on the total DDAS amount in your subscription. For example, a workload-based subscription that has a 10 TB DDAS entitlement will have an additional 1 TB of DDAS added with a DDAA subscription, effectively increasing the DDAS entitlement to 11 TB. Note that this additional 1 TB should be considered as reserved for DDAA restores, as any restore volumes that result in surpassing the DDAS entitlement may incur a true-up cost.

Note the following:

• Restored DDAA data is typically ready to search within 24 hours after a restoration request and remains searchable for up to 30 days.
• Large amounts of DDAA data restore can take beyond 24 hours to complete.
• Multiple restores that overlap within a 30-day period will accrue against the additional 10% of searchable storage included with your DDAA subscription.
• Refer to the Splunk General Terms for Splunk's policy for Overages.

Dynamic Data Self-Storage (DDSS)

You can also export your aged data from Splunk Cloud Platform. If you enable Dynamic Data Self-Storage (DDSS) to export your aged ingested data, the oldest data is moved to your Amazon S3 or Google Cloud Storage account in the same region as your Splunk Cloud Platform deployment before it is deleted from the index.

Note the following:

• You are responsible for payments for your use of Amazon S3 or Google Cloud Storage.
• Aged data is exported unencrypted to your Amazon S3 or Google Cloud Storage account.
• DDSS data stored in S3 cannot be searched by Federated Search for Amazon S3 at this moment.

See also