Solved: Re: How is frozenTimePeriodInSecs applied?

redc · ‎02-20-2014

Is this applied (or can it be applied) on an index-by-index basis, or does it apply to everything on the indexer? For example, I have one index containing data of a type that I want to freeze after 90 days (7776000 seconds), but another index containing data that I want to keep for as long as possible (for now, 188697600 seconds).

Can I simply add frozenTimePeriodInSecs in indexes.conf to the index I want to truncate earlier and not to the second one (or add it to the second one with the default number of seconds applied)?

E.g.:

[90day_index]
frozenTimePeriodInSecs = 7776000

[forever_index]
frozenTimePeriodInSecs = 188697600

aelliott · ‎02-20-2014

You set it in indexes.conf on an index per index basis.
And yes you can do it exactly as you state.

http://docs.splunk.com/Documentation/Splunk/5.0.3/Indexer/Setaretirementandarchivingpolicy

View solution in original post

aelliott · ‎02-20-2014

You set it in indexes.conf on an index per index basis.
And yes you can do it exactly as you state.

http://docs.splunk.com/Documentation/Splunk/5.0.3/Indexer/Setaretirementandarchivingpolicy

Georgiev · ‎11-14-2022

Bump to working URL: https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Setaretirementandarchivingpolicy

cave_splunker · ‎05-19-2023

Thank you for the link update!

redc · ‎02-20-2014

Thanks for the speedy response!

How is frozenTimePeriodInSecs applied?

Fun with Regular Expression - multiples of nine

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

How is frozenTimePeriodInSecs applied?

Fun with Regular Expression - multiples of nine

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

What’s New & Next in Splunk SOAR