https://community.splunk.com/t5/Getting-Data-In/bucket-retention-and-frozenTimePeriodInSecs/m-p/116366#M24282 <P>A bucket that contains events overlapping the time retention will not be frozen until all the events are older than the retention.</P> <P>By default indexes.conf has buckets with up to 3 months of span. So It's possible that you have buckets still overlapping<BR /> <CODE>[main]<BR /> maxHotSpanSecs = 7776000<BR /> frozenTimePeriodInSecs = 188697600<BR /> </CODE><BR /> A workaround may be to reduce the maxHotSpanSecs to a week, to force the buckets to be smaller, and rotate more often.</P> <P>To verify the status of your buckets, and estimate if they meet the condition to be frozen you can use those dbinspect searches on the indexer.</P> <UL> <LI> for Splunk 6, for all indexes with autodetection from frozenTimePeriodInSecs </LI> </UL> <P><CODE>| dbinspect index=* | join index [|rest /services/data/indexes| eval index=title | table index frozenTimePeriodInSecs ] <BR /> | eval toNow=now()-endEpoch | convert num(toNow) | convert num(frozenTimePeriodInSecs)<BR /> | convert ctime(endEpoch) AS endEvent | convert ctime(startEpoch) AS startEvent <BR /> | eval shouldBeFrozen=if( ( state!="hot" AND state!="thawed" ) AND toNow&gt;frozenTimePeriodInSecs,"yes","no") <BR /> | table index path id state startEvent endEvent shouldBeFrozen toNow frozenTimePeriodInSecs<BR /> </CODE></P> <UL> <LI>for splunk 5 and 4, you have to manually add the values and do one index at a time</LI> </UL> <P><CODE>|dbinspect index=main<BR /> | eval frozenTimePeriodInSecs= 2592000<BR /> | convert timeformat="%m/%d/%Y:%H:%M:%S" mktime(earliestTime) AS endEpoch<BR /> | eval toNow=now()-endEpoch | convert num(toNow) <BR /> | convert num(frozenTimePeriodInSecs)<BR /> | eval shouldBeFrozen=if( ( state!="hot" AND state!="thawed" ) AND toNow&gt;frozenTimePeriodInSecs,"yes","no") <BR /> | table path id state earliestTime latestTime endEvent shouldBeFrozen toNow frozenTimePeriodInSecs<BR /> </CODE></P> Thu, 16 Jan 2014 01:10:55 GMT yannK 2014-01-16T01:10:55Z https://community.splunk.com/t5/Getting-Data-In/bucket-retention-and-frozenTimePeriodInSecs/m-p/116365#M24281 <P>My index has a retention of 6 months with frozenTimePeriodInSecs=15552000. <BR /> But I still see some events that are older than the retention.</P> <P>By example events that are from 6 month and 2 weeks.</P> <P>Any thoughts ?</P> Thu, 16 Jan 2014 01:05:41 GMT https://community.splunk.com/t5/Getting-Data-In/bucket-retention-and-frozenTimePeriodInSecs/m-p/116365#M24281 mataharry 2014-01-16T01:05:41Z https://community.splunk.com/t5/Getting-Data-In/bucket-retention-and-frozenTimePeriodInSecs/m-p/116366#M24282 <P>A bucket that contains events overlapping the time retention will not be frozen until all the events are older than the retention.</P> <P>By default indexes.conf has buckets with up to 3 months of span. So It's possible that you have buckets still overlapping<BR /> <CODE>[main]<BR /> maxHotSpanSecs = 7776000<BR /> frozenTimePeriodInSecs = 188697600<BR /> </CODE><BR /> A workaround may be to reduce the maxHotSpanSecs to a week, to force the buckets to be smaller, and rotate more often.</P> <P>To verify the status of your buckets, and estimate if they meet the condition to be frozen you can use those dbinspect searches on the indexer.</P> <UL> <LI> for Splunk 6, for all indexes with autodetection from frozenTimePeriodInSecs </LI> </UL> <P><CODE>| dbinspect index=* | join index [|rest /services/data/indexes| eval index=title | table index frozenTimePeriodInSecs ] <BR /> | eval toNow=now()-endEpoch | convert num(toNow) | convert num(frozenTimePeriodInSecs)<BR /> | convert ctime(endEpoch) AS endEvent | convert ctime(startEpoch) AS startEvent <BR /> | eval shouldBeFrozen=if( ( state!="hot" AND state!="thawed" ) AND toNow&gt;frozenTimePeriodInSecs,"yes","no") <BR /> | table index path id state startEvent endEvent shouldBeFrozen toNow frozenTimePeriodInSecs<BR /> </CODE></P> <UL> <LI>for splunk 5 and 4, you have to manually add the values and do one index at a time</LI> </UL> <P><CODE>|dbinspect index=main<BR /> | eval frozenTimePeriodInSecs= 2592000<BR /> | convert timeformat="%m/%d/%Y:%H:%M:%S" mktime(earliestTime) AS endEpoch<BR /> | eval toNow=now()-endEpoch | convert num(toNow) <BR /> | convert num(frozenTimePeriodInSecs)<BR /> | eval shouldBeFrozen=if( ( state!="hot" AND state!="thawed" ) AND toNow&gt;frozenTimePeriodInSecs,"yes","no") <BR /> | table path id state earliestTime latestTime endEvent shouldBeFrozen toNow frozenTimePeriodInSecs<BR /> </CODE></P> Thu, 16 Jan 2014 01:10:55 GMT https://community.splunk.com/t5/Getting-Data-In/bucket-retention-and-frozenTimePeriodInSecs/m-p/116366#M24282 yannK 2014-01-16T01:10:55Z https://community.splunk.com/t5/Getting-Data-In/bucket-retention-and-frozenTimePeriodInSecs/m-p/116367#M24283 <P>I think the Splunk 5/4 search is wrong. Wouldn't you want to make endEpoch as the <EM>latestTime</EM> as every event in the bucket needs to be older than the frozenTimePeriod. If I run that search, I get 'yes' for buckets that have an earliestTime that is older than the frozenTimePeriod, but with a latestTime that is newer. Those buckets wouldn't be deleted.</P> Thu, 10 Apr 2014 23:45:38 GMT https://community.splunk.com/t5/Getting-Data-In/bucket-retention-and-frozenTimePeriodInSecs/m-p/116367#M24283 hajducko 2014-04-10T23:45:38Z