Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Behavior of frozenTimePeriodSecs

justinjohn83
Explorer
‎02-25-2011 09:18 PM

In my indexes.conf I've set "frozenTimePeriodSecs" to "3888000" => 45 days. I've specified no coldToFrozenScript so I am assuming that any data older than 45 days should be discarded. The trouble is I am still seeing data with timestamps older than 45 days in the search results? Am I misunderstanding how this parameter is supposed to work. I am running splunk 4.1.6.

Thanks,

Justin

0 Karma
Reply
2 Solutions
Solved! Jump to solution
Solution

David
Splunk Employee
Splunk Employee
‎02-25-2011 09:28 PM

What is your data volume? With small volumes, what will often happen is that the data will never leave the hot buckets, and then the warm buckets will never turn to frozen (e.g., be deleted).

Alternatively, it could be that the particular bucket may have just not rolled over yet. If you have a large volume, are you seeing data way older than 45 days? Part of this is that buckets roll over; events don't. The buckets contain the events, so it is almost the same thing, but any given bucket is going to contain a range of events (dependent on the bucket size).

You might find value looking at these two Answers:

Hopefully that's of some value, and not way too basic.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎02-25-2011 11:08 PM

Data will eventually leave hot buckets, as long as it keeps coming in till one is full. A bucket can get up to 10 GB in size (by default) but could be smaller.

Data will only be deleted when all data in a bucket is older than frozenTimePeriodInSecs. So if you have older data that is sharing a bucket with more recent data (up to 10 GB [compressed] of more recent data) then the older data may not be deleted until that has all aged off.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎02-25-2011 11:08 PM

Data will eventually leave hot buckets, as long as it keeps coming in till one is full. A bucket can get up to 10 GB in size (by default) but could be smaller.

Data will only be deleted when all data in a bucket is older than frozenTimePeriodInSecs. So if you have older data that is sharing a bucket with more recent data (up to 10 GB [compressed] of more recent data) then the older data may not be deleted until that has all aged off.

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎01-03-2014 04:08 PM

hot and thawed buckets will not be frozen, and buckets will only be frozen because of frozenTimePeriodSecs if ALL events in it are older than the retention.

0 Karma
Reply
Solved! Jump to solution
Solution

David
Splunk Employee
Splunk Employee
‎02-25-2011 09:28 PM

What is your data volume? With small volumes, what will often happen is that the data will never leave the hot buckets, and then the warm buckets will never turn to frozen (e.g., be deleted).

Alternatively, it could be that the particular bucket may have just not rolled over yet. If you have a large volume, are you seeing data way older than 45 days? Part of this is that buckets roll over; events don't. The buckets contain the events, so it is almost the same thing, but any given bucket is going to contain a range of events (dependent on the bucket size).

You might find value looking at these two Answers:

Hopefully that's of some value, and not way too basic.

0 Karma
Reply
Get Updates on the Splunk Community!

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...