Data Retention

This topic lists the Sysdig data retention policies, as of September 2023.

When a host or instance is no longer monitored (when the agent is uninstalled), the historical data continues to be retained for the times stated below.

If required, you can change the standard data retention settings using Sysdig REST API. Contact your Sysdig support team or professional services for assitance as there are a variety of storage and timeline implications to consider before making such a change.

Retention is limited by storage or time on an either/or basis. Secure-only customers have only two weeks of retention.

Sysdig Monitor Metric Retention Limits

Metric GranularityRetention
10s4 hours
1m2 days
10m2 weeks
1h3 months
1d12 months

Sysdig Monitor Retention Limits

ComponentsRetention
All Events
The total event limit includes all event types: Infrastructure, Alert, Sysdig, and Custom events.
1,000,000 Total
Custom Events14 days
Infrastructure Events14 days
Unresolved Alert Events
Unacknowledged Alert Events
30 days
Resolved Alert Events
Acknowledged Alert Events
14 days
Captures90 days
Platform Audit Record90 days

Sysdig Secure Retention Limits

ComponentRetention
Policy events1M events or 90 days
Activity audit90 days
Benchmarks90 days
Pipeline Results
(cli-scan )
90 days
AND
Maximum of 5 tags per repository and a maximum of 5 different images per tag.
Runtime viewWorkloads will never expire as long as they are running.
They will be removed from the Runtime view up to 15 minutes after termination.
Runtime reportingThe Report will include workloads running at the time of report creation and the workloads that were terminated 24 hours or less before report creation.
Vulnerability Management Reports14 days
Captures90 days
Registry Scanning Results90 days
Platform Audit Record90 days
CSPM (Posture + Inventory)Resource data is refreshed every 24 hours when a posture evaluation is run.
Stale data (data from a failed scan because of a disconnected/removed agent, deleted cluster/account, or because the account lost its permissions) is shown for 7 days since the last scan.
Compliance data is stored in the backend for a year.