https://community.splunk.com/t5/Splunk-Search/Does-frozenTimePeriodInSecs-work-in-default/m-p/335219#M163333 <P>The information you see under [default] is a global setting that take precedence if you haven't defined a setting for a specific index. These settings come from <CODE>/etc/system/default/indexes.conf</CODE>. This can be a bit confusing as if you look into indexes.conf, global settings do not exist within a [default] stanza. Additionally, there is no need to create a [default] stanza.</P> <P>If you take a look at the settings in <CODE>$SPLUNK_HOME/etc/system/default/indexes.conf</CODE>, you'll notice the settings for <CODE>frozenTimePeriodInSecs</CODE> matches the setting under this section:</P> <PRE><CODE>&lt;code&gt;# index specific defaults frozenTimePeriodInSecs = 188697600 &lt;/code&gt; </CODE></PRE> <P>Since this setting also exists for [main], per the btool ouput, the setting for main takes precedence. This is part of the reason that btool is a technical support utility. The output can be confusing if you aren't sure what to expect. In this instance, since btool does show main as having the value defined, you can be sure that this is what will take effect. If you wanted to ensure all indexes had this behavior by default, you could copy the global settings from <CODE>$SPLUNK_HOME/etc/system/default/indexes.conf</CODE> into <CODE>$SPLUNK_HOME/etc/system/local/indexes.conf</CODE>.</P> <P>Also,<BR /> You set it in <CODE>local/indexes.conf</CODE> on an <CODE>index per index basis</CODE>. <BR /> And yes you can do it exactly as you state.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0.3/Indexer/Setaretirementandarchivingpolicy">http://docs.splunk.com/Documentation/Splunk/5.0.3/Indexer/Setaretirementandarchivingpolicy</A></P> <PRE><CODE>[your_custom_index] frozenTimePeriodInSecs = &lt;retention_period&gt; </CODE></PRE> <P>let me know if this helps!</P> Fri, 26 Jan 2018 05:56:36 GMT mayurr98 2018-01-26T05:56:36Z https://community.splunk.com/t5/Splunk-Search/Does-frozenTimePeriodInSecs-work-in-default/m-p/335217#M163331 <P>I have a local indexes.conf file on all my indexers:<BR /> [default]<BR /> <CODE>frozenTimePeriodInSecs = 63072000</CODE> # 2 yr<BR /> [main]<BR /> <CODE>frozenTimePeriodInSecs = 15552000</CODE> # 180d</P> <P>This seems to have worked on main but not on any other indexes. Does frozenTimePeriodInSecs work in [default]? Or do I have to enter a value for each index? Or should I put the value outside a stanza?</P> Thu, 25 Jan 2018 20:53:41 GMT https://community.splunk.com/t5/Splunk-Search/Does-frozenTimePeriodInSecs-work-in-default/m-p/335217#M163331 wsanderstii 2018-01-25T20:53:41Z https://community.splunk.com/t5/Splunk-Search/Does-frozenTimePeriodInSecs-work-in-default/m-p/335218#M163332 <P>The attribute <CODE>frozenTimePeriodInSecs</CODE> is per index option, so it should be specified in the stanza for each index. Without specifying it, default value of it would be 6 years or 188697600. </P> <P>When you specify it in <CODE>[default]</CODE> section, it's getting applied to default index which is main (as specified in attribute <CODE>defaultDatabase</CODE>)</P> Thu, 25 Jan 2018 21:00:29 GMT https://community.splunk.com/t5/Splunk-Search/Does-frozenTimePeriodInSecs-work-in-default/m-p/335218#M163332 somesoni2 2018-01-25T21:00:29Z https://community.splunk.com/t5/Splunk-Search/Does-frozenTimePeriodInSecs-work-in-default/m-p/335219#M163333 <P>The information you see under [default] is a global setting that take precedence if you haven't defined a setting for a specific index. These settings come from <CODE>/etc/system/default/indexes.conf</CODE>. This can be a bit confusing as if you look into indexes.conf, global settings do not exist within a [default] stanza. Additionally, there is no need to create a [default] stanza.</P> <P>If you take a look at the settings in <CODE>$SPLUNK_HOME/etc/system/default/indexes.conf</CODE>, you'll notice the settings for <CODE>frozenTimePeriodInSecs</CODE> matches the setting under this section:</P> <PRE><CODE>&lt;code&gt;# index specific defaults frozenTimePeriodInSecs = 188697600 &lt;/code&gt; </CODE></PRE> <P>Since this setting also exists for [main], per the btool ouput, the setting for main takes precedence. This is part of the reason that btool is a technical support utility. The output can be confusing if you aren't sure what to expect. In this instance, since btool does show main as having the value defined, you can be sure that this is what will take effect. If you wanted to ensure all indexes had this behavior by default, you could copy the global settings from <CODE>$SPLUNK_HOME/etc/system/default/indexes.conf</CODE> into <CODE>$SPLUNK_HOME/etc/system/local/indexes.conf</CODE>.</P> <P>Also,<BR /> You set it in <CODE>local/indexes.conf</CODE> on an <CODE>index per index basis</CODE>. <BR /> And yes you can do it exactly as you state.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0.3/Indexer/Setaretirementandarchivingpolicy">http://docs.splunk.com/Documentation/Splunk/5.0.3/Indexer/Setaretirementandarchivingpolicy</A></P> <PRE><CODE>[your_custom_index] frozenTimePeriodInSecs = &lt;retention_period&gt; </CODE></PRE> <P>let me know if this helps!</P> Fri, 26 Jan 2018 05:56:36 GMT https://community.splunk.com/t5/Splunk-Search/Does-frozenTimePeriodInSecs-work-in-default/m-p/335219#M163333 mayurr98 2018-01-26T05:56:36Z https://community.splunk.com/t5/Splunk-Search/Does-frozenTimePeriodInSecs-work-in-default/m-p/335220#M163334 <P>Actually what worked was putting "frozenTimePeriodInSecs = 63072000" (2 years) <STRONG>outside of any stanza</STRONG> in /opt/splunk/etc/master-apps/_cluster/local/indexes.conf.</P> <P>Thanks for the replies.</P> Fri, 26 Jan 2018 17:29:14 GMT https://community.splunk.com/t5/Splunk-Search/Does-frozenTimePeriodInSecs-work-in-default/m-p/335220#M163334 wsanderstii 2018-01-26T17:29:14Z