Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How is frozenTimePeriodInSecs applied?

redc
Builder
‎02-20-2014 06:40 AM

Is this applied (or can it be applied) on an index-by-index basis, or does it apply to everything on the indexer? For example, I have one index containing data of a type that I want to freeze after 90 days (7776000 seconds), but another index containing data that I want to keep for as long as possible (for now, 188697600 seconds).

Can I simply add frozenTimePeriodInSecs in indexes.conf to the index I want to truncate earlier and not to the second one (or add it to the second one with the default number of seconds applied)?

E.g.:

[90day_index]
frozenTimePeriodInSecs = 7776000

[forever_index]
frozenTimePeriodInSecs = 188697600
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aelliott
Motivator
‎02-20-2014 06:42 AM

You set it in indexes.conf on an index per index basis.
And yes you can do it exactly as you state.

http://docs.splunk.com/Documentation/Splunk/5.0.3/Indexer/Setaretirementandarchivingpolicy

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

aelliott
Motivator
‎02-20-2014 06:42 AM

You set it in indexes.conf on an index per index basis.
And yes you can do it exactly as you state.

http://docs.splunk.com/Documentation/Splunk/5.0.3/Indexer/Setaretirementandarchivingpolicy

0 Karma
Reply
Solved! Jump to solution

cave_splunker
Explorer
‎05-19-2023 01:52 PM

Thank you for the link update!

0 Karma
Reply
Solved! Jump to solution

redc
Builder
‎02-20-2014 06:43 AM

Thanks for the speedy response!

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...