Deployment Architecture

How does the frozen bucket work exactly?



So I have frozenTimePeriodInSecs=10368000 in my indexes.conf. That is 120 days old. Yet i have data going back more than 120 days. When does Splunk run its process to purge this data?

Guess I assumed a nightly job checked for old data and dumped it.

0 Karma


Refer to Freeze data when it grows too old in the Set a retirement and archiving policy page

You can use the age of data to determine when a bucket gets rolled to frozen. When the most recent data in a particular bucket reaches the configured age, the entire bucket is rolled. 

In other words the entire bucket has to be past that date, a bucket may contain 1 hour of data, it might contain data over a 3 week period, either way it cannot freeze until the most recent data is past the frozenTimePeriodInSecs

Splunk Employee
Splunk Employee

This is on a per index basis. It's possible you have other indexes that don't roll after 120 days.

0 Karma

Splunk Employee
Splunk Employee

hi @daniel333,

Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...