Docs » Resolution and data retention in Splunk Infrastructure Monitoring

Resolution and data retention in Splunk Infrastructure Monitoring 🔗

In Infrastructure Monitoring, the term resolution refers to data collection intervals called native resolution, or intervals at which data points are displayed on a chart called chart resolution. For more information, see Data resolution and rollups in charts.

Note

The information presented in this topic applies to you only if your organization’s subscription plan is based on the number of hosts or metrics that Infrastructure Monitoring is monitoring for you. If your organization uses a data points per minute (DPM) subscription plan based on the rate at which you’re sending data points to Splunk Infrastructure Monitoring, see Resolution and data retention in Splunk Infrastructure Monitoring (DPM plans only).

Native resolution 🔗

Data points are typically sent to Infrastructure Monitoring at a regular interval, for example, once every 10 seconds. For data coming in more often than every 10s, the native resolution depends on whether the data point was specified as high-resolution when it was sent to Infrastructure Monitoring.

  • If a data point is specified as high resolution when it is sent to Infrastructure Monitoring, the frequency at which it is being sent (as fine as one second) will be considered as its native resolution. In other words, if you are sending in 1s data, graphs and detectors can display or analyze the data at 1‑second intervals.

  • For standard resolution data, all metrics arriving more frequently than every 10s will be rolled up to achieve an effective native resolution of 10s.

You can also specify that data points you are sending to Infrastructure Monitoring using the Splunk Infrastructure Monitoring API should be treated as high resolution.

Rollups, resolution, and data retention policies 🔗

Rollups 🔗

When Infrastructure Monitoring receives data points for a given metric time series it stores rollups for each interval. For more information, see Metrics, data points, and metric time series in Splunk Observability Cloud.

  • Sum — The sum of all the values of the data points received during each interval

  • Min — The lowest value from among the data points received during each interval

  • Max — The highest value from among the data points received during each interval

  • Count — The number of data points received during each interval

  • Latest — The value of the most recent data point received during each interval

  • Delta — The value of the delta timing.

  • Lag — The value of the lag timing.

For example, if Infrastructure Monitoring receives the data point values 40, 50, 30, 10, and 20 (in that order) for a given time series in a 1-minute window, the 1-minute rollups will be stored as shown in the following table.

Rollup type

Value

Sum

150

Count

5

Min

10

Max

50

Latest

20

Resolution 🔗

These rollups are retained at different resolutions depending on how long ago the data was received, the subscription plan that was in effect when the data arrived at Infrastructure Monitoring, and whether the data point was specified as high resolution when it was sent to Infrastructure Monitoring.

  • High resolution metrics can be stored at a resolution as fine as 1 second.

  • Standard resolution metrics can be stored at a resolution as fine as 10 seconds.

Retention 🔗

Retention period is officially managed in days since the length of each month is different. Therefore, the number of months is only an approximation to the number of days in the actual retention period.

The following table shows how long data is retained at different resolutions.

Resolution

Standard plan

Enterprise or Custom plan

1 second

8 days

3 months (96 days)

10 seconds or more

13 months (416 days)

13 months (416 days)

For more information on rollups in general, and how they apply to charts and detectors, see Rollups.

Note

Custom events are retained in the platform for a year.

This page was last updated on Aug 08, 2024.