We have one index defined in indexes.conf with frozenTimePeriodInSecs as 365 days (31536000 seconds), but there are 3 years of data stored in index.It seems not working if we just define retention time period in frozenTimePeriodInSecs. Can someone help ?
$ view ./apps/launcher/local/indexes.conf
coldPath = $SPLUNKDB/Indexname/colddb
homePath = $SPLUNKDB/Indexname/db
thawedPath = $SPLUNK_DB/Indexname/thaweddb
frozenTimePeriodInSecs = 31536000
Also, the data (bucket) is frozen only when the most recent event in the bucket is older then the retention period. Sometimes, a bucket can have data for varying/larger dates-range (e.g. a bucket has data for whole 1 year) and doesn't roll until the event with newest time is older than retention period. See this for more information on the same.
Sure. Run btool command on your indexers to see what frozenTimePeriodInSecs is effective.
Go to $SPLUNK_HOME/bin and then run this:
./splunk btool indexes list IndexName --debug
This should show you what the effective configuration is and from what location.
ok. As a good practice, pls put all your config in a custom 'app' or under 'search' app if its temporary. If the issue is resolved, pls accept the answer to close the thread.
I pulled data from Search head and found that it has 3 years of data but when i logged in to check configuration files it shows me 1 year retention settings