https://community.splunk.com/t5/Splunk-Enterprise/frozenTimePeriodInSecs-only-takes-effect-on-IDX-restart/m-p/742367#M21931 <P>As an addition to what <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/170906">@livehybrid</a> already said, see the .conf presentation <A href="https://conf.splunk.com/files/2017/slides/splunk-data-life-cycle-determining-when-and-where-to-roll-data.pdf" target="_blank" rel="noopener">https://conf.splunk.com/files/2017/slides/splunk-data-life-cycle-determining-when-and-where-to-roll-data.pdf</A></P><P>frozenTimePeriodInSecs only affects cold buckets. So a bucket has to first reach this stage in its life cycle. And hot buckets are rolled on a completely different basis than time-based retention limit.</P><P>That's it.</P><P>That's also why the usual questions like "how to make sure we have 2 days of hot buckets, a week of warm buckets and two months of cold buckets" get the response of "you can't do it this way".</P> Thu, 20 Mar 2025 21:00:53 GMT PickleRick 2025-03-20T21:00:53Z https://community.splunk.com/t5/Splunk-Enterprise/frozenTimePeriodInSecs-only-takes-effect-on-IDX-restart/m-p/742295#M21912 <P>Hello,</P><P>I have defined a frozenTimePeriodInSecs for 1 hour on my IDX for a certain index, so that the logs it contains are only kept for 1 hour.<BR />The definition of the frozenTimePeriodInSecs was made in the indexes.conf in the system/local directory<BR />The problem I have, however, is that the frozenTimePeriodInSecs config only takes effect once when the IDX is restarted. Otherwise, the logs remain in this index for the defined retention period.</P><P>Has anyone already had the same problem and can help me with this?</P><P>Thanks in advance.</P> Thu, 20 Mar 2025 09:29:08 GMT https://community.splunk.com/t5/Splunk-Enterprise/frozenTimePeriodInSecs-only-takes-effect-on-IDX-restart/m-p/742295#M21912 MrLR_02 2025-03-20T09:29:08Z https://community.splunk.com/t5/Splunk-Enterprise/frozenTimePeriodInSecs-only-takes-effect-on-IDX-restart/m-p/742299#M21913 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/248317">@MrLR_02</a>&nbsp;, the 1-hourfrozenTimePeriodInSecs&nbsp;will not affect buckets which are "hot" - ie they are actively open and being written to. If your buckets aren’t rolling from <STRONG>hot → warm → cold</STRONG>&nbsp;within an hour, retention will appear longer. The reason a restart causes them to roll to frozen is that the indexer closes the hot bucket when it restarts and thus becomes warm, and can then be frozen out.</P><P>To enforce deletion <STRONG>1 hour after ingestion</STRONG>, you may need to review some of the following settings, ive included some examples below:</P><DIV class="">&nbsp;</DIV><P><STRONG>Force hot buckets to roll faster</STRONG> by setting:<BR />Its worth understanding these and configuring as required - check&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/Admin/Indexesconf#:~:text=maxHotSpanSecs%20%3D%20%3Cpositive%20integer%3E" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/latest/Admin/Indexesconf#:~:text=maxHotSpanSecs%20%3D%20%3Cpositive%20integer%3E </A>for more info.</P><DIV><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class="">&nbsp;</DIV></DIV><DIV class=""><DIV class="">&nbsp;</DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV><LI-CODE lang="markup">[your_index] maxHotSpanSecs = 3600 # Hot bucket rolls to warm after 1h maxHotIdleSecs = 60 # Rolls if idle for 1min maxDataSize = auto_high_volume # Or lower to cap hot-bucket size</LI-CODE><DIV class="">&nbsp;</DIV><P>These ensure hot buckets roll to warm&nbsp;<STRONG>based on time</STRONG>, not just size.</P><DIV><DIV class=""><DIV class=""><DIV class=""><DIV class="">&nbsp;</DIV></DIV></DIV></DIV></DIV><P>Please let me know how you get on and consider adding karma to this or any other answer if it has helped.<BR />Regards<BR /><BR />Will</P> Thu, 20 Mar 2025 09:52:08 GMT https://community.splunk.com/t5/Splunk-Enterprise/frozenTimePeriodInSecs-only-takes-effect-on-IDX-restart/m-p/742299#M21913 livehybrid 2025-03-20T09:52:08Z https://community.splunk.com/t5/Splunk-Enterprise/frozenTimePeriodInSecs-only-takes-effect-on-IDX-restart/m-p/742306#M21914 <P class="lia-align-left">Would these settings also have to be made if I set the retention period for this index to 1 day or possibly 1 week?</P> Thu, 20 Mar 2025 10:19:07 GMT https://community.splunk.com/t5/Splunk-Enterprise/frozenTimePeriodInSecs-only-takes-effect-on-IDX-restart/m-p/742306#M21914 MrLR_02 2025-03-20T10:19:07Z https://community.splunk.com/t5/Splunk-Enterprise/frozenTimePeriodInSecs-only-takes-effect-on-IDX-restart/m-p/742367#M21931 <P>As an addition to what <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/170906">@livehybrid</a> already said, see the .conf presentation <A href="https://conf.splunk.com/files/2017/slides/splunk-data-life-cycle-determining-when-and-where-to-roll-data.pdf" target="_blank" rel="noopener">https://conf.splunk.com/files/2017/slides/splunk-data-life-cycle-determining-when-and-where-to-roll-data.pdf</A></P><P>frozenTimePeriodInSecs only affects cold buckets. So a bucket has to first reach this stage in its life cycle. And hot buckets are rolled on a completely different basis than time-based retention limit.</P><P>That's it.</P><P>That's also why the usual questions like "how to make sure we have 2 days of hot buckets, a week of warm buckets and two months of cold buckets" get the response of "you can't do it this way".</P> Thu, 20 Mar 2025 21:00:53 GMT https://community.splunk.com/t5/Splunk-Enterprise/frozenTimePeriodInSecs-only-takes-effect-on-IDX-restart/m-p/742367#M21931 PickleRick 2025-03-20T21:00:53Z