Data Retention
This topic lists the Sysdig data retention policies, as of September 2023.
When a host or instance is no longer monitored (when the agent is uninstalled), the historical data continues to be retained for the times stated below.
If required, you can change the standard data retention settings by using Sysdig REST API. A Sysdig support team or professional services member should assist, as there are a variety of storage and timeline implications to consider before making such a change.
Note that retention is limited by storage or time on an either/or basis.
Sysdig Monitor Metric Retention Limits
| Metric Granularity | Retention |
|---|---|
| 10s | 4 hours |
| 1m | 2 days |
| 10m | 2 weeks |
| 1h | 3 months |
| 1d | 12 months |
Sysdig Monitor Retention Limits
| Components | Retention |
|---|---|
| All Events The total event limit includes all event types: Infrastructure, Alert, Sysdig, and Custom events. | 1,000,000 Total |
| Custom Events | 14 days |
| Infrastructure Events | 14 days |
| Unresolved Alert Events Unacknowledged Alert Events | 30 days |
| Resolved Alert Events Acknowledged Alert Events | 14 days |
| Captures | 90 days |
| Platform Audit Record | 90 days |
Sysdig Secure Retention Limits
| Component | Retention |
|---|---|
| Policy events | 1M events or 90 days |
| Activity audit | 90 days |
| Benchmarks | 90 days |
| Pipeline Results (cli-scan ) | 90 days AND Maximum of 5 tags per repository and a maximum of 5 different images per tag. |
| Runtime view | Workloads will never expire as long as they are running. They will be removed from the Runtime view up to 15 minutes after termination. |
| Runtime reporting | The Report will include workloads running at the time of report creation and the workloads that were terminated 24 hours or less before report creation. |
| Vulnerability Management Reports | 14 days |
| Captures | 90 days |
| Platform Audit Record | 90 days |
| CSPM (Posture + Inventory) | Resource data is refreshed every 24 hours when a posture evaluation is run. Stale data (data from a failed scan because of a disconnected/removed agent, deleted cluster/account, or because the account lost its permissions) is shown for 7 days since the last scan. Compliance data is stored in the backend for a year. |
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.