Deployment Architecture

How does the frozen bucket work exactly?

Builder

All,

So I have frozenTimePeriodInSecs=10368000 in my indexes.conf. That is 120 days old. Yet i have data going back more than 120 days. When does Splunk run its process to purge this data?

Guess I assumed a nightly job checked for old data and dumped it.

0 Karma

SplunkTrust
SplunkTrust

Refer to Freeze data when it grows too old in the Set a retirement and archiving policy page

You can use the age of data to determine when a bucket gets rolled to frozen. When the most recent data in a particular bucket reaches the configured age, the entire bucket is rolled. 

In other words the entire bucket has to be past that date, a bucket may contain 1 hour of data, it might contain data over a 3 week period, either way it cannot freeze until the most recent data is past the frozenTimePeriodInSecs

0 Karma

Splunk Employee
Splunk Employee

This is on a per index basis. It's possible you have other indexes that don't roll after 120 days.

http://docs.splunk.com/Documentation/Splunk/7.2.0/Indexer/Setaretirementandarchivingpolicy

0 Karma

Splunk Employee
Splunk Employee

hi @daniel333,

Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

0 Karma