Configure archive settings for an index

This section shows you how to configure archive settings for a specific index.

Managing archive settings requires the indexes_edit capability. All archive changes appear in the audit.log file.

CAUTION: Setting incorrect or inadequate data retention values can result in a loss of data. If you have any questions about correctly setting the searchable and archive retention values for your Splunk Cloud Platform deployment, contact your Splunk account representative.

For more information on Splunk Cloud Platform data retention settings and policies and the DDAS and DDAA subscription options, see:

Configure archiving for an index

  1. In Splunk Cloud, go to Settings > Indexes.
  2. Click New Index to create a new index or click Edit in the Actions column for an existing index.
  3. In the Max raw data size field, specify the maximum amount of raw data allowed before data is removed from the index and archived.
  4. In the Dynamic Data Storage field, select Splunk Archive.
  5. Set the Searchable retention (days) and Archive Retention Period values. Note the following:
    1. Searchable retention (days) refers to the Dynamic Data Active Searchable (DDAS) or searchable storage value. This is the searchable retention period, and is considered warm storage.
    2. Dynamic Data Storage > Splunk Archive > Archive Retention Period holds the Dynamic Data Active Archive (DDAA), or archive storage value, and is considered cold storage. You can specify this value in years, months, or days. The maximum archive retention period is 3650 days (10 years). Specify a value within this range.
    3. The archive retention period is the total amount of time that Splunk retains your data. The archive retention period includes the searchable retention period. For example, if you want Splunk Cloud Platform to retain your data for a total of 365 days, but you want that data searchable for the first 90 days, set the searchable retention period to 90 days and the archive retention period to 365 days (not 365-90 days).
    4. When specifying the archive retention period value, you must specify a value that is greater than the searchable retention period. For example, if you set Searchable retention (days) to 90 days, you must set the Archive Retention Period to a value greater than 90 days, such as 180 days.
  6. Click Save.
CAUTION: You cannot enable both DDAA and DDSS at the same time for the same index. If you enable DDAA for an index, then later decide to change the index settings to use either DDSS or no storage, you must contact Splunk Support if you want to retain the archived data.

Disable archiving for an index

  1. Go to Settings > Indexes.
  2. Click Edit in the Actions column for the index you want to manage.
  3. In the Dynamic Data Storage field, select Self Storage to move data to self-storage location when it expires or No Additional Storage to delete data as it expires.
  4. Click Save. When data in this index expires, it is deleted.
Note: Disabling archiving for an index marks the existing archived data with a status of delete. Deleted archive data will be permanently erased 30 days after the deletion date. Be aware that disabling archiving for an index does not affect the time or size of the data retention policy for the index.
If you disable archiving for an index in error, contact Splunk Support as soon as possible. If you have a support contract, file a new case using the Splunk Support Portal. Otherwise, contact Splunk Customer Support.