Retention policies in Splunk Enterprise Security can automatically clear the data from specific KV Store collections based on the time field. Retention policies can be added for Splunk Enterprise Security KV Store collections in the managed_configurations.conf configuration file.

Following is an example of a retention policy added to a KV Store collection within the managed_configurations.conf configuration file. In this example, the retention key represents the retention policy. The retention policy checks the value for the time field for each row and deletes any rows where the value of the time field is older than the value of earliestTime, which is 10 days.

[lookup:collection_X] endpoint = /services/data/transforms/lookups/collection_X label = Label for collection X description = Some description for collection X editable = 0 lookup_type = reserved retention = {\

  "disabled": 0,\
  "earliestTime": "-10d",\
  "timeField": "time",\
  "timeFormat": "%s"\

}

Use the following CURL command to customize the retention policy for your KV Store collection:

curl –location –request POST 'https://<host>:<mPort>/servicesNS/nobody/{app}/configs/conf-{file}/{lookup:collection-name}' \ -k -u <username>:<password> \ –header 'Content-Type: application/x-www-form-urlencoded' \ –data-urlencode 'retention={"disabled": 0, "earliestTime": "-7d", "timeField": "time, "timeFormat": "%s"} --data-urlencode 'label=My Collection Label' \ --data-urlencode 'lookup_type=reserved' \ --data-urlencode 'endpoint=/services/data/transforms/lookups/collection_endpoint' \ --data-urlencode 'editable=0' \ --data-urlencode 'description=My collection description'

You can see the changes to the KV Store collection after cnfiguring the retention policies in the $SPLUNK_HOME/etc/apps/{app}/local directory, which overwrites the default settings for the KV Store collection. You do not need to restart your Splunk instance because an auto-reload occurs by default when a POST configuration request is made.